---
title: Security group open to the world
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Security group open to the world
---

# Security group open to the world
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562)Framework:cisControl:cis-3.10 
## Goal{% #goal %}

Detect when an AWS security group is opened to the world.

## Strategy{% #strategy %}

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

- [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html)

This rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:

- `0.0.0.0/0`
- `::/0`

## Triage and response{% #triage-and-response %}

1. Determine who the user was who made this API call.
1. Contact the user and see if this was an API call which was made by the user.
1. If the API call was not made by the user:

- Rotate the user credentials and investigate what other API calls.
- Determine what other API calls the user made which were not made by the user.

## Changelog{% #changelog %}

18 March 2022 - Updated rule query.