Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
CloudFormation guard rules template for Security Groups
The following rules are included:
let sg_resources = Resources.*[
Type == "AWS::EC2::SecurityGroup"
]
rule prevent_inbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_inbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All ingress ports should not be open>>
}
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
IpProtocol != -1 <<All outbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All egress ports are open.>>
}
}
}
}
}
}
}
rule sg_ssh_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 22
ToPort >= 22 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<SSH open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<SSH open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_rdp_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3389
ToPort >= 3389 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<RDP open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<RDP open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_oracle_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 1521
ToPort >= 1521 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
when FromPort <= 2483
ToPort >= 2483 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mysql_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3306
ToPort >= 3306 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MySQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MySQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_postgres_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 5432
ToPort >= 5432 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<PostgreSQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<PostgreSQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_redis_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 6379
ToPort >= 6379 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Redis open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Redis open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mongodb_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 27017
ToPort >= 27017 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
when FromPort <= 27018
ToPort >= 27018 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_cassandra_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 7199
ToPort >= 7199 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 9160
ToPort >= 9160 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 8888
ToPort >= 8888 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_memcached_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 11211
ToPort >= 11211 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Memcached open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Memcached open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_insecure_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound ports are open.>>
when IpProtocol != -1 {
FromPort > 21 OR
ToPort < 21
FromPort > 23 OR
ToPort < 23
FromPort > 80 OR
ToPort < 80
FromPort > 389 OR
ToPort < 389
FromPort > 4333 OR
ToPort < 4333
}
}
}
}
}
}