Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

CloudFormation Guard Rules

S3 Cloudformation Guard Rules for Security Groups

CloudFormation guard rules template for Security Groups

The following rules are included: 

  • Do Not Allow Ingress All IPs (0.0.0.0/0)
  • Do Not Allow Egress All IPs (0.0.0.0/0)
  • Do Not Allow Ingress all Ports
  • Do Not Allow Egress all Ports
  • Do Not Allow Ingress insecure ports
  • Do Not Allow Ingress SSH (TCP/22) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress RDP (TCP/3389) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Oracle (TCP/1521,2483) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress MySQL (TCP/3306) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress PostgreSQL (TCP/5432) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Redis (TCP/6379) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress MongoDB (TCP/27107-27018) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Cassandra (TCP/7199,9160,8888) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Memcached (TCP/11211) All IPs (0.0.0.0/0)
CloudFormation Validation Tool: Syntax and Security validation for your templates online

let sg_resources = Resources.*[
	Type == "AWS::EC2::SecurityGroup"
]

rule prevent_inbound_access_to_any_ip when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists or
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when CidrIp exists {
						CidrIp		!= '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
					}
					when CidrIpv6 exists {
						CidrIpv6	!= '::/0' <<IPv6 address cannot be ::/0>>
					}
				}
			}
		}
	}
}

rule prevent_outbound_access_to_any_ip when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupEgress exists <<All outbound traffic is allowed.>>

			when SecurityGroupEgress exists {
				SecurityGroupEgress.* {
					when CidrIp exists {
						CidrIp		!= '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
					}
					when CidrIpv6 exists {
						CidrIpv6	!= '::/0' <<IPv6 address cannot be ::/0>>
					}
				}
			}
		}
	}
}

rule prevent_inbound_access_to_any_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists or
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					IpProtocol != -1 <<All inbound traffic is allowed.>>

					when IpProtocol in ['tcp', 'udp'] {
						when FromPort == 0 {
							ToPort		!= 65535 <<All ingress ports should not be open>>
						}
					}
				}
			}
		}
	}
}

rule prevent_outbound_access_to_any_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupEgress exists <<All outbound traffic is allowed.>>

			when SecurityGroupEgress exists {
				SecurityGroupEgress.* {
					IpProtocol != -1 <<All outbound traffic is allowed.>>

					when IpProtocol in ['tcp', 'udp'] {
						when FromPort == 0 {
							ToPort		!= 65535 <<All egress ports are open.>>
						}
					}
				}
			}
		}
	}
}

rule sg_ssh_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 22 
						ToPort >= 22 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<SSH open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<SSH open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_rdp_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 3389 
						ToPort >= 3389 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<RDP open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<RDP open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_oracle_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 1521
						ToPort >= 1521 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Oracle open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 2483
						ToPort >= 2483 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Oracle open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_mysql_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 3306 
						ToPort >= 3306 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MySQL open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MySQL open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_postgres_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 5432 
						ToPort >= 5432 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<PostgreSQL open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<PostgreSQL open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_redis_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 6379 
						ToPort >= 6379 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Redis open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Redis open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_mongodb_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 27017
						ToPort >= 27017 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MongoDB open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 27018
						ToPort >= 27018 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MongoDB open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_cassandra_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 7199
						ToPort >= 7199 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 9160
						ToPort >= 9160 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 8888
						ToPort >= 8888 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_memcached_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 11211 
						ToPort >= 11211 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Memcached open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Memcached open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_insecure_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					IpProtocol != -1 <<All inbound ports are open.>>
					when IpProtocol != -1 {
						FromPort > 21 OR
						ToPort < 21
						FromPort > 23 OR
						ToPort < 23
						FromPort > 80 OR
						ToPort < 80
						FromPort > 389 OR
						ToPort < 389
						FromPort > 4333 OR
						ToPort < 4333
					}
				}
			}
		}
	}
}



Actions



Customize Template

* Required field

Upgrade to Premium for More Features
Sign up

Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
  • 350+ security checks
  • Well-architected reviews
  • Detailed compliance reports
  • Remediation templates
  • Email summaries
  • Learn more