16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
88 lines
2.3 KiB
Plaintext
88 lines
2.3 KiB
Plaintext
Allowing unrestricted outbound communications can lead to data leaks.
|
|
|
|
A restrictive security group is an additional layer of protection that might
|
|
prevent the abuse or exploitation of a resource. For example, it complicates the
|
|
exfiltration of data in the case of a successfully exploited vulnerability.
|
|
|
|
When deciding if outgoing connections should be limited, consider that limiting
|
|
the connections results in additional administration and maintenance work.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* The resource has access to sensitive data.
|
|
* The resource is part of a private network.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
It is recommended to restrict outgoing connections to a set of trusted
|
|
destinations.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import (
|
|
aws_ec2 as ec2
|
|
)
|
|
|
|
ec2.SecurityGroup( # Sensitive; allow_all_outbound is enabled by default
|
|
self,
|
|
"example",
|
|
vpc=vpc
|
|
)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import (
|
|
aws_ec2 as ec2
|
|
)
|
|
|
|
sg = ec2.SecurityGroup(
|
|
self,
|
|
"example",
|
|
vpc=vpc,
|
|
allow_all_outbound=False
|
|
)
|
|
|
|
sg.add_egress_rule(
|
|
peer=ec2.Peer.ipv4("203.0.113.127/32"),
|
|
connection=ec2.Port.tcp(443)
|
|
)
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
* https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups
|
|
* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Make sure that allowing unrestricted outbound communications is safe here.
|
|
* Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here.
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
|
|