Ensure that every security group ingress rule has a description

Security group ingress defines security rule to allow or restrict inbound traffic. Not having appropriate description may make the security group rules hard to understand and maintain.

Risk Level: Informational
Cloud Entity: AWS EC2 SecurityGroup
CloudGuard Rule ID: D9.CFT.OPE.14
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_EC2_SecurityGroup where SecurityGroupIngress should have SecurityGroupIngress contain-all [ Description ]


From CFT
Set AWS::EC2::SecurityGroup SecurityGroupIngress.Description property to an appropriate description.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule-1.html#cfn-ec2-security-group-rule-description

AWS EC2 SecurityGroup

A Security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. AWS::EC2::SecurityGroup Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.

Compliance Frameworks

  • AWS CloudFormation ruleset