AWS Security Group allows unrestricted egress traffic
Description
This policy detects whether AWS Security Groups allow unrestricted egress (outbound) traffic. Permitting unrestricted outbound traffic from your resources can increase the risk of data exfiltration and other security vulnerabilities. As a best practice, explicitly define egress rules in your Security Groups to limit outbound traffic to known and trusted destinations only.
Code Example
go
resource "aws_security_group" "example" {
...
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
+ egress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["10.0.0.0/16"] # Restrict to known, trusted destination
+ }
}Remediation
Terraform
- Resource: aws_security_group
- Arguments: egress
To mitigate this issue, for Security Groups, explicitly define restricted outbound traffic rules within the egress block of your Terraform configuration.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0429 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, Terraform |
| Checkov ID | CKV_AWS_382 |