2023-05-25 14:18:12 +02:00
|
|
|
Allowing unrestricted outbound communications can lead to data leaks.
|
2022-09-30 15:59:58 +02:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
A restrictive security group is an additional layer of protection that might
|
|
|
|
|
prevent the abuse or exploitation of a resource. For example, it complicates the
|
|
|
|
|
exfiltration of data in the case of a successfully exploited vulnerability.
|
|
|
|
|
|
|
|
|
|
When deciding if outgoing connections should be limited, consider that limiting
|
|
|
|
|
the connections results in additional administration and maintenance work.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
|
|
|
|
|
|
* The resource has access to sensitive data.
|
|
|
|
|
* The resource is part of a private network.
|
|
|
|
|
|
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
|
|
|
|
|
|
It is recommended to restrict outgoing connections to a set of trusted
|
|
|
|
|
destinations.
|
2022-09-30 15:59:58 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
|
|
|
|
|
|
|
|
|
|
[source,python]
|
|
|
|
|
----
|
|
|
|
|
from aws_cdk import (
|
|
|
|
|
aws_ec2 as ec2
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
ec2.SecurityGroup( # Sensitive; allow_all_outbound is enabled by default
|
|
|
|
|
self,
|
|
|
|
|
"example",
|
|
|
|
|
vpc=vpc
|
|
|
|
|
)
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
|
|
|
|
|
|
|
|
|
|
[source,python]
|
|
|
|
|
----
|
|
|
|
|
from aws_cdk import (
|
|
|
|
|
aws_ec2 as ec2
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
sg = ec2.SecurityGroup(
|
|
|
|
|
self,
|
|
|
|
|
"example",
|
|
|
|
|
vpc=vpc,
|
|
|
|
|
allow_all_outbound=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
sg.add_egress_rule(
|
|
|
|
|
peer=ec2.Peer.ipv4("203.0.113.127/32"),
|
|
|
|
|
connection=ec2.Port.tcp(443)
|
|
|
|
|
)
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
|
|
|
* https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control
|
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
|
|
|
|
2022-09-30 15:59:58 +02:00
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Make sure that allowing unrestricted outbound communications is safe here.
|
|
|
|
|
* Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here.
|
|
|
|
|
|
2022-09-30 15:59:58 +02:00
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
|
|
|
|
|
