Ensure no security groups allow ingress from to ElasticSearch (TCP:9300)

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 9300.

Risk Level: High
Cloud Entity: AWS EC2 SecurityGroup
CloudGuard Rule ID: D9.CFT.NET.22
Covered by Spectral: No
Category: Security, Identity, & Compliance


AWS_EC2_SecurityGroup should not have SecurityGroupIngress contain-any [ CidrIp='' and FromPort>=9300 and ToPort<=9300 ]


From CFT
Set AWS::EC2::SecurityGroup SecurityGroupIngress.CidrIp property to a restrictive IP address or IP range.


  1. https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html
  2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

AWS EC2 SecurityGroup

A Security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. AWS::EC2::SecurityGroup Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.

Compliance Frameworks

  • AWS CloudFormation ruleset