Security group rule without description
This product is not supported for your selected
Datadog site. (
).
Id: cb3f5ed6-0d18-40de-a93d-b3538db31e8c
Cloud Provider: aws
Framework: Terraform
Severity: Info
Category: Best Practices
Learn More
Description
It is a best practice for AWS security groups to include a meaningful description
attribute in their Terraform configuration, such as in the following example:
description = "Allow TLS inbound traffic"
Omitting the description field, as shown below, can lead to confusion and hinder effective management or auditing of security groups, especially in environments with many resources:
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
vpc_id = aws_vpc.main.id
// missing description
...
}
Without clear descriptions, security teams may struggle to quickly identify the purpose of a group, increasing the risk of misconfigurations and delayed incident response.
Compliant Code Examples
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
tags = {
Name = "allow_tls"
}
}
Non-Compliant Code Examples
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
tags = {
Name = "allow_tls"
}
}