Terraform security group 0.0.0.0/0 risk
Review public ingress before apply.
A security group rule with 0.0.0.0/0 can be correct for web traffic or dangerous for admin ports. This page is static guidance; raw Terraform plans stay local in your workstation or CI.
High-risk signals include unrestricted SSH, RDP, databases, internal service ports, all protocols, broad egress paired with sensitive workloads, or public exposure on production systems.
Review checklist
Network signals
- Ingress CIDR includes 0.0.0.0/0 or ::/0.
- Port range includes SSH, RDP, databases, or all ports.
- Protocol is all traffic or a broad range without a compensating control.
- Rule attaches to production compute, load balancers, databases, or admin hosts.
SOC 2 angle
Evidence to keep
Map public ingress changes to CC6.6 boundary protection, CC7 monitoring, and CC8 change management. readtheplan can flag these patterns from Terraform JSON without sending the plan away.
Request pilot setupPlaceholder inbox: pilot-contact@example.com.
FAQ
Security group questions
Is 0.0.0.0/0 always dangerous?
No. Public web ingress can be intended. Risk depends on port, protocol, target, environment, and compensating controls.
What should reviewers ask first?
Ask whether the exposure is required, whether the target is production, which port is open, and how monitoring or access restriction is enforced.