Opening a security group to the Internet







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker can modify security group rules to allow for new traffic. This typically allows them to maintain access to your infrastructure.

Understanding Impact

Business Impact

Compute resources in AWS are protected by security groups. When an attacker allows traffic on a security group, it exposes the affected resource publicly and allows the attacker to remain in your environment.

Technical Impact

Note that removing a malicious ingress security group rule does not block connections that are already established (see Connection tracking).


You can identify when a security group ingress rule is created using the CloudTrail event AuthorizeSecurityGroupIngress. In particular:

  • requestParameters.cidrIp contains the newly authorized source IP range (for instance,
  • requestParameters.fromPort and requestParameters.toPort contain the newly opened port or port range.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Security group open to the world".


Stratus Red Team - Open Ingress Port 22 on a Security Group

Finding evil in AWS

Attacker tactics reported by Jon Hencinski (Expel)

Did you find this article helpful?

Related Vulnerabilities and Threats