AWS

Subscribe
Download 365
Last updated Apr 30, 2025

AWS Security Group Ingress Rule Allows Broad CIDR

Detects when a user adds an ingress rule to an AWS security group that allows inbound access from a Class B or larger IP range (/16 or less).

Query

AWS CloudTrail records the AuthorizeSecurityGroupIngress event when an ingress rule is added to a security group. The request parameters (req_params) are structured as follows:

{
    "groupId": "sg-00112233445566778",
    "ipPermissions": {
        "items": [
            {
                "ipRanges": {
                    "items": [
                        {
                            "description": "Allow traffic",
                            "cidrIp": "100.100.0.0/16"
                        }
                    ]
                },
                "prefixListIds": {},
                "fromPort": 3306,
                "toPort": 3306,
                "groups": {},
                "ipProtocol": "tcp",
                "ipv6Ranges": {}
            }
        ]
    }
}

Using valueof() and the explode command, the cidrIp field can be extracted from ipPermissions.items.ipRanges.items. By parsing the subnet mask after the slash and converting it into an integer, the query detects cases where the value is less than or equal to 16.

| search event_name == "AuthorizeSecurityGroupIngress"
| eval group_id = valueof(req_params, "groupId"), items = valueof(valueof(req_params, "ipPermissions"), "items")
| explode items
| eval ip_ranges = valueof(valueof(items, "ipRanges"), "items"), from_port = valueof(items, "fromPort"), to_port = valueof(items, "toPort"), protocol = upper(valueof(items, "ipProtocol")) 
| explode ip_ranges 
| parsemap field=ip_ranges overlay=t 
| fields - items, ip_ranges  
| rename cidrIp as cidr 
| eval mask = int(valueof(split(cidr, "/"), 1)) 
| search mask <= 16

Message

  • AWS Security Group Inbound Allow with Broad CIDR (/16 or Less): User $user, Security Group $group_id, Allowed Range $cidr, Port $from_port-$to_port, Description $description

Output Field Order

  • _log_time, event_id, src_ip, account_id, aws_region, user_type, user, event_name, group_id, cidr, mask, protocol, from_port, to_port, description, user_agent

Threat Analysis

  • Allowing a Class B or broader range (CIDR /16 or less) in an AWS security group exposes services (e.g., SSH, RDP, database ports) directly to attackers. This makes them vulnerable to brute-force attempts, vulnerability scans, and exploitation attacks.
  • While such changes can sometimes be legitimate operational tasks, attackers who gain access to AWS credentials may deliberately loosen security group rules to create backdoor communication channels.
  • Therefore, this type of event may indicate threats related to Initial Access, Defense Evasion, or Persistence tactics.

False Positive Types

  • An administrator may temporarily allow a wide range of IP addresses (e.g., during testing, maintenance, or partner access).
  • Infrastructure as Code (IaC) tools (Terraform, CloudFormation, etc.) may deploy broad CIDR ranges as part of bulk security group definitions.

Response Actions

  • Immediately verify with the operations/security team whether the rule change was intentional and whether a broad CIDR allowance was necessary for business reasons.
  • If the rule change was unauthorized, remove the rule immediately, rotate the credentials for the affected IAM account, and review audit logs to identify compromise.
  • If the change was intentional, apply the least privilege principle by restricting inbound access to specific source IPs or smaller, controlled CIDR ranges.

MITRE ATT&CK Mapping