Ensure every Security Group rule has a description

Error: Not every Security Group rule has a description

Bridgecrew Policy ID: BC_AWS_NETWORKING_31
Checkov Check ID: CKV_AWS_23
Severity: LOW

Not every Security Group rule has a description


Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.

We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon VPC console.
  3. Select Security Groups.
  4. Select Create Security Group.
  5. Select a Security Group and review all of the descriptions.
  6. To modify the rules and descriptions, click Edit.

Fix - Buildtime


Add a description to your ingress or egress rule.

resource "aws_security_group" "examplea" {
  name        = var.es_domain
  description = "Allow inbound traffic to ElasticSearch from VPC CIDR"
  vpc_id      = var.vpc

  ingress {
    cidr_blocks = [""]
   + description = "What does this rule enable"
    from_port   = 80
    protocol    = "tcp"
    to_port     = 80