Allowing unrestricted outbound communications can lead to data leaks. A restrictive security group is an additional layer of protection that might prevent the abuse or exploitation of a resource. For example, it complicates the exfiltration of data in the case of a successfully exploited vulnerability. When deciding if outgoing connections should be limited, consider that limiting the connections results in additional administration and maintenance work. == Ask Yourself Whether * The resource has access to sensitive data. * The resource is part of a private network. There is a risk if you answered yes to any of those questions. == Recommended Secure Coding Practices It is recommended to restrict outgoing connections to a set of trusted destinations. == Sensitive Code Example For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]: [source,python] ---- from aws_cdk import ( aws_ec2 as ec2 ) ec2.SecurityGroup( # Sensitive; allow_all_outbound is enabled by default self, "example", vpc=vpc ) ---- == Compliant Solution For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]: [source,python] ---- from aws_cdk import ( aws_ec2 as ec2 ) sg = ec2.SecurityGroup( self, "example", vpc=vpc, allow_all_outbound=False ) sg.add_egress_rule( peer=ec2.Peer.ipv4("203.0.113.127/32"), connection=ec2.Port.tcp(443) ) ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups * https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control * https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Make sure that allowing unrestricted outbound communications is safe here. * Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here. endif::env-github,rspecator-view[]