--- title: Security group with unrestricted access to SSH description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Security group with unrestricted access to SSH --- # Security group with unrestricted access to SSH {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-security-group-with-unrestricted-access-to-ssh` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) ### Description{% #description %} This check verifies that AWS security groups do not allow unrestricted inbound access to port 22 (SSH) from the public internet (`cidr_blocks = ["0.0.0.0/0"]`). Allowing public SSH access exposes instances to unauthorized access attempts and automated attacks, increasing the risk of successful brute-force compromises. To mitigate this vulnerability, the `cidr_blocks` attribute in the `ingress` block should be restricted to trusted IP ranges only, as shown below: Insecure configuration: ``` ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ``` Secure configuration: ``` ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"] } ``` If left unaddressed, this misconfiguration can lead to remote attackers gaining entry to instances via SSH, putting sensitive data and critical infrastructure at risk. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_security_group" "negative1" { name = "allow_tls" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_tls" } } ``` ```terraform module "vote_service_sg" { source = "terraform-aws-modules/security-group/aws" version = "4.3.0" name = "user-service" description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" vpc_id = "vpc-12345678" ingress { description = "TLS from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_tls" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_security_group" "positive1" { name = "allow_tls" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_tls" } } ``` ```terraform resource "aws_security_group" "positive2" { name = "allow_tls" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["192.120.0.0/16", "0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_tls" } } ``` ```terraform module "vote_service_sg" { source = "terraform-aws-modules/security-group/aws" version = "4.3.0" name = "user-service" description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" vpc_id = "vpc-12345678" ingress { description = "TLS from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_tls" } } ```