For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-unrestricted-security-group-ingress.md. A documentation index is available at /llms.txt.

Unrestricted security group ingress

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-unrestricted-security-group-ingress

Provider: AWS

Platform: Terraform

Severity: High

Category: Networking and Firewall

Learn More

Description

This check identifies AWS security group rules that allow unrestricted inbound traffic from any IP address (0.0.0.0/0 for IPv4 or ::/0 for IPv6). Such configurations create a significant security vulnerability by exposing your resources to potential unauthorized access from anywhere on the internet, increasing the risk of data breaches and attacks.

Restricting inbound traffic to specific, trusted IP addresses, or CIDR ranges is a security best practice that follows the principle of least privilege. Instead of using wide-open rules such as cidr_blocks = ["0.0.0.0/0"], configure your security groups with specific CIDR blocks, as shown in the secure example: cidr_blocks = ["0.0.2.0/0"] or more targeted ranges like corporate IP addresses.

Compliant Code Examples

resource "aws_security_group_rule" "negative1" {
  type              = "ingress"
  from_port         = 3306
  to_port           = 3306
  protocol          = "tcp"
  cidr_blocks       = ["0.0.2.0/0"]
  security_group_id = aws_security_group.default.id
}

resource "aws_security_group" "negative2" {
  ingress {
    from_port         = 3306
    to_port           = 3306
    protocol          = "tcp"
    cidr_blocks       = ["0.0.2.0/0"]
    security_group_id = aws_security_group.default.id
  }
}

resource "aws_security_group" "negative3" {
  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["1.0.0.0/0"]
  }

  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["0.0.1.0/0"]
  }
}

Non-Compliant Code Examples

resource "aws_security_group_rule" "positive1" {
  type              = "ingress"
  from_port         = 3306
  to_port           = 3306
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.default.id
}

module "web_server_sg" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "4.3.0"

  name        = "web-server"
  description = "Security group for web-server with HTTP ports open within VPC"
  vpc_id      = "vpc-12345678"

  ingress_ipv6_cidr_blocks  = ["fc00::/8", "::/0"]
}

resource "aws_security_group" "positive2" {
  ingress {
    from_port         = 3306
    to_port           = 3306
    protocol          = "tcp"
    cidr_blocks       = ["0.0.0.0/0"]
    security_group_id = aws_security_group.default.id
  }
}