diff --git a/pkg/multicloud/aws/securitygroup.go b/pkg/multicloud/aws/securitygroup.go
index 127b10348..f52cce0f5 100644
--- a/pkg/multicloud/aws/securitygroup.go
+++ b/pkg/multicloud/aws/securitygroup.go
@@ -102,14 +102,18 @@ func (self *SRegion) CreateSecurityGroupRule(secGrpId string, opts *cloudprovide
 	if opts.Protocol != secrules.PROTO_ANY {
 		params["IpPermissions.1.IpProtocol"] = strings.ToLower(opts.Protocol)
 	}
-	if len(opts.CIDR) > 0 {
-		if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
-			params["IpPermissions.1.Ipv6Ranges.1.CidrIpv6"] = opts.CIDR
-			params["IpPermissions.1.Ipv6Ranges.1.Description"] = opts.Desc
-		} else {
-			params["IpPermissions.1.IpRanges.1.CidrIp"] = opts.CIDR
-			params["IpPermissions.1.IpRanges.1.Description"] = opts.Desc
+	if len(opts.CIDR) == 0 {
+		opts.CIDR = "0.0.0.0/0"
+	}
+	if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
+		params["IpPermissions.1.Ipv6Ranges.1.CidrIpv6"] = opts.CIDR
+		params["IpPermissions.1.Ipv6Ranges.1.Description"] = opts.Desc
+	} else {
+		if !strings.Contains(opts.CIDR, "/") {
+			opts.CIDR = opts.CIDR + "/32"
 		}
+		params["IpPermissions.1.IpRanges.1.CidrIp"] = opts.CIDR
+		params["IpPermissions.1.IpRanges.1.Description"] = opts.Desc
 	}
 	start, end := 0, 0
 	if len(opts.Ports) > 0 {
@@ -160,7 +164,7 @@ func (self *SRegion) CreateSecurityGroupRule(secGrpId string, opts *cloudprovide
 	for i := range ret.SecurityGroupRuleSet {
 		return &ret.SecurityGroupRuleSet[i], nil
 	}
-	return nil, errors.Wrapf(cloudprovider.ErrNotFound, "after create")
+	return nil, errors.Wrapf(cloudprovider.ErrNotFound, "after create %s", jsonutils.Marshal(opts))
 }
 
 func (self *SRegion) DeleteSecurityGroupRule(secGrpId string, direction, ruleId string) error {