Ensure that every security group ingress object has a description

Security group ingress defines security rule to allow or restrict inbound traffic. Not having appropriate description may make the security group rules hard to understand and maintain.

Risk Level: Informational
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.CFT.OPE.16
Covered by Spectral: No
Category: Networking & Content Delivery


AWS_EC2_SecurityGroupIngress should have Description


From CFT
Set AWS::EC2::SecurityGroupIngress Description property to an appropriate description.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-description

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CloudFormation ruleset