← all rules

iac/cloudformation/cfn-security-group-world-ingress

Security group allows ingress from 0.0.0.0/0

highCloudFormationiac-cloudformation

What it detects

A `SecurityGroupIngress` rule with `CidrIp: 0.0.0.0/0` (or `::/0`) exposes the port to the entire internet.

Remediation

Restrict `CidrIp` to known office/VPN ranges or reference a source security group.

How it runs

Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.