Restrict outbound traffic to that which is necessary, and specifically deny all other traffic
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted egress access
Risk Level: Medium
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.09
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
SecurityGroup should not have outboundRules with [ protocol='ALL' and scope='0.0.0.0/0' ]
REMEDIATION
Reduce the scope of the outbound rules to just the necessary scope, protocol, and ports.
From Portal
- Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
- In the navigation pane, choose Security Groups.
- For each security group, perform the following:
- Select the security group
- Click the Outbound Rules tab
- Identify the rules to be removed
- Edit the Outbound rule , change the source cidr range, port, protocol or Delete the rule.
- Click Save
From TF
Add CIDR range, port, protocol to restrict egress access from all port, protocol and range.
resource "aws_security_group" "positive2" {
egress {
from_port = 3306
to_port = 3306
- protocol = "ALL"
+ protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"] # != "0.0.0.0/0"
+ cidr_blocks = ["10.0.2.0/0"]
security_group_id = aws_security_group.default.id
}
}
From Command Line
To make sure security groups doesn't allow egress to 0.0.0.0/0 or to all port, run:
aws ec2 revoke-security-group-egress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0
References
- https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
- https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-egress.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
AWS Security Group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago