Allowing unrestricted outbound communications can lead to data leaks.
A restrictive security group is an additional layer of protection that might prevent the abuse or exploitation of a resource. For example, it
complicates the exfiltration of data in the case of a successfully exploited vulnerability.
When deciding if outgoing connections should be limited, consider that limiting the connections results in additional administration and
maintenance work.
Ask Yourself Whether
- The resource has access to sensitive data.
- The resource is part of a private network.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to restrict outgoing connections to a set of trusted destinations.
Sensitive Code Example
For aws_cdk.aws_ec2.SecurityGroup:
from aws_cdk import (
aws_ec2 as ec2
)
ec2.SecurityGroup( # Sensitive; allow_all_outbound is enabled by default
self,
"example",
vpc=vpc
)
Compliant Solution
For aws_cdk.aws_ec2.SecurityGroup:
from aws_cdk import (
aws_ec2 as ec2
)
sg = ec2.SecurityGroup(
self,
"example",
vpc=vpc,
allow_all_outbound=False
)
sg.add_egress_rule(
peer=ec2.Peer.ipv4("203.0.113.127/32"),
connection=ec2.Port.tcp(443)
)
See
