This pattern provides a security control that notifies you when Amazon Web Services (AWS) resources do not meet your specifications. It provides an AWS Lambda function that looks for single-host network entries in both Internet Protocol version 4 (IPv4) and IPv6 security group source address fields. The Lambda function is initiated when Amazon CloudWatch Events detects the Amazon Elastic Compute Cloud (Amazon EC2) AuthorizeSecurityGroupIngress API call. The custom logic in the Lambda function evaluates the subnet mask of the CIDR block of the security group ingress rule. If the subnet mask is determined to be anything other than /32 (IPv4) or /128 (IPv6), the Lambda function sends a violation notification by using Amazon Simple Notification Service (Amazon SNS).
