DB security group with public scope

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DB security group with public scope

Metadata

Id: 1e0ef61b-ad85-4518-a3d3-85eaad164885

Cloud Provider: AWS

Platform: Terraform

Severity: Critical

Category: Networking and Firewall

Learn More

Provider Reference

Description

AWS DB security groups with overly permissive ingress rules (0.0.0.0/0 or ::/0) expose database instances to potential unauthorized access from any IP address on the internet. This critical security vulnerability could lead to data breaches, unauthorized data manipulation, or complete database compromise. Instead of using public CIDR ranges, restrict access to specific IP ranges that require database connectivity.

Insecure example:

resource "aws_db_security_group" "insecure" {
  name = "rds_sg"
  ingress {
    cidr = "0.0.0.0/0"
  }
}

Secure example:

resource "aws_db_security_group" "secure" {
  name = "rds_sg"
  ingress {
    cidr = "10.0.0.0/25"
  }
}

Compliant Code Examples

resource "aws_db_security_group" "negative1" {
  name = "rds_sg"

  ingress {
    cidr = "10.0.0.0/25"
  }
}

Non-Compliant Code Examples

resource "aws_db_security_group" "positive1" {
  name = "rds_sg"

  ingress {
    cidr = "0.0.0.0/0"
  }
}