---
title: Security groups should not use broad internal CIDR ranges as source
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Security groups should not use broad
  internal CIDR ranges as source
---

# Security groups should not use broad internal CIDR ranges as source
 
## Description{% #description %}

Security group ingress rules should reference specific subnets or security groups rather than overly broad internal CIDR ranges like `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. Using a full RFC 1918 range as a source grants access from every host on the internal network, bypassing network segmentation controls and increasing the blast radius of a compromised host.

## Remediation{% #remediation %}

Replace broad internal CIDR ranges with specific subnet CIDRs or security group references.

1. Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2/home#SecurityGroups).
1. Navigate to **Security Groups**, select the group, and edit the inbound rules.
1. Replace any `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16` source with the specific subnet CIDR (e.g., `10.1.2.0/24`) or a security group ID that needs access.