For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-2e7.md. A documentation index is available at /llms.txt.

Security groups should not use broad internal CIDR ranges as source

ec2

Description

Security group ingress rules should reference specific subnets or security groups rather than overly broad internal CIDR ranges like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. Using a full RFC 1918 range as a source grants access from every host on the internal network, bypassing network segmentation controls and increasing the blast radius of a compromised host.

Remediation

Replace broad internal CIDR ranges with specific subnet CIDRs or security group references.

  1. Open the Amazon EC2 console.
  2. Navigate to Security Groups, select the group, and edit the inbound rules.
  3. Replace any 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 source with the specific subnet CIDR (e.g., 10.1.2.0/24) or a security group ID that needs access.