--- title: Sensitive port is exposed to wide private network description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Sensitive port is exposed to wide private network --- # Sensitive port is exposed to wide private network {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-sensitive-port-is-exposed-to-wide-private-network` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) ### Description{% #description %} Leaving sensitive ports such as port 23 (Telnet) or port 110 (POP3) open to a wide private network via insecure security group rules can expose resources to unnecessary risk, as these ports are frequently targeted by attackers seeking to exploit legacy or weakly protected protocols. In Terraform, a misconfiguration, as in the example below, makes internal resources within the VPC accessible to all hosts in the private address range, greatly increasing the attack surface if any host in that range is compromised. : ``` ingress { from_port = 23 to_port = 23 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] } ``` Restricting access to only necessary subnets and ports significantly reduces the risk of lateral movement and unauthorized access within your network: ``` ingress { from_port = 2383 to_port = 2383 protocol = "tcp" cidr_blocks = [aws_vpc.main.cidr_block] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_security_group" "negative1" { name = "allow_tls1" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 2383 to_port = 2383 protocol = "tcp" cidr_blocks = [aws_vpc.main.cidr_block] } } ``` ```terraform resource "aws_security_group" "negative2" { name = "allow_tls2" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 2384 to_port = 2386 protocol = "tcp" cidr_blocks = ["/0"] } } ``` ```terraform resource "aws_security_group" "negative3" { name = "allow_tls3" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 25 to_port = 2500 protocol = "tcp" cidr_blocks = ["1.2.3.4/0"] } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_security_group" "positive1" { name = "allow_tls1" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 2200 to_port = 2500 protocol = "-1" cidr_blocks = ["10.0.0.0/8"] } } ``` ```terraform resource "aws_security_group" "positive2" { name = "allow_tls2" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 20 to_port = 60 protocol = "tcp" cidr_blocks = ["192.168.0.0/16"] } } ``` ```terraform resource "aws_security_group" "positive3" { name = "allow_tls3" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "TLS from VPC" from_port = 5000 to_port = 6000 protocol = "-1" cidr_blocks = ["172.16.0.0/12"] } } ```