Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
By Implementation
By Service Protected
Reference Guides
Other
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
Configuration Stack0
By Service Protected
By Implementation
Service Control Policies
Config Rules
Auto Remediation Rules
Conformance Packs
Amazon GuardDuty
Amazon Inspector
AWS Security Hub
AWS Network Firewall
Route53 Resolver Security
Amazon Macie
S3 Bucket Policies
CloudWatch Alarms and Event Rules
AWS WAF
AWS Secrets Manager
AWS Systems Manager
Security Groups & NACLs
AWS KMS
AWS SSO
IAM Policies
VPC Endpoint Policies
CloudFormation Guard Rules
Load Balancers
RDS Event Subscriptions
AWS Resource Access Manager (RAM)Reference Guides
Other
CloudFormation Guard Rules
S3 Cloudformation Guard Rules for Security Groups
CloudFormation guard rules template for Security Groups
The following rules are included:
- Do Not Allow Ingress All IPs (0.0.0.0/0)
- Do Not Allow Egress All IPs (0.0.0.0/0)
- Do Not Allow Ingress all Ports
- Do Not Allow Egress all Ports
- Do Not Allow Ingress insecure ports
- Do Not Allow Ingress SSH (TCP/22) All IPs (0.0.0.0/0)
- Do Not Allow Ingress RDP (TCP/3389) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Oracle (TCP/1521,2483) All IPs (0.0.0.0/0)
- Do Not Allow Ingress MySQL (TCP/3306) All IPs (0.0.0.0/0)
- Do Not Allow Ingress PostgreSQL (TCP/5432) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Redis (TCP/6379) All IPs (0.0.0.0/0)
- Do Not Allow Ingress MongoDB (TCP/27107-27018) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Cassandra (TCP/7199,9160,8888) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Memcached (TCP/11211) All IPs (0.0.0.0/0)
CloudFormation Validation Tool: Syntax and Security validation for your templates online
let sg_resources = Resources.*[
Type == "AWS::EC2::SecurityGroup"
]
rule prevent_inbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_inbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All ingress ports should not be open>>
}
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
IpProtocol != -1 <<All outbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All egress ports are open.>>
}
}
}
}
}
}
}
rule sg_ssh_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 22
ToPort >= 22 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<SSH open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<SSH open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_rdp_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3389
ToPort >= 3389 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<RDP open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<RDP open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_oracle_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 1521
ToPort >= 1521 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
when FromPort <= 2483
ToPort >= 2483 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mysql_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3306
ToPort >= 3306 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MySQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MySQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_postgres_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 5432
ToPort >= 5432 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<PostgreSQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<PostgreSQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_redis_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 6379
ToPort >= 6379 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Redis open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Redis open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mongodb_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 27017
ToPort >= 27017 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
when FromPort <= 27018
ToPort >= 27018 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_cassandra_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 7199
ToPort >= 7199 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 9160
ToPort >= 9160 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 8888
ToPort >= 8888 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_memcached_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 11211
ToPort >= 11211 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Memcached open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Memcached open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_insecure_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound ports are open.>>
when IpProtocol != -1 {
FromPort > 21 OR
ToPort < 21
FromPort > 23 OR
ToPort < 23
FromPort > 80 OR
ToPort < 80
FromPort > 389 OR
ToPort < 389
FromPort > 4333 OR
ToPort < 4333
}
}
}
}
}
}
Actions
Customize Template
* Required field
Upgrade to Premium for More Features
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
- 350+ security checks
- Well-architected reviews
- Detailed compliance reports
- Remediation templates
- Email summaries
- Learn more