Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted Security Group Egress

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-033

Check your Amazon EC2 security groups for outbound/egress rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) on any TCP/UDP ports and restrict access to only those IP addresses and/or IP ranges that require it in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unrestricted outbound/egress access on TCP/UDP ports can increase opportunities for malicious activities such as Distributed Denial of Service (DDoS) attacks.

Audit

To determine if your Amazon EC2 security groups allow unrestricted egress access on TCP/UDP ports, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to examine.

05 Choose the Outbound rules tab from the console bottom panel to access the outbound rules created for the selected group.

06 Check the configuration value available in the Destination column for any outbound/egress rule defined for the group. If one or more rules have the Destination value set to 0.0.0.0/0 or ::/0(i.e. Anywhere), the selected Amazon EC2 security group allows unrestricted outbound traffic, therefore the access to the Internet for the Amazon EC2 instances associated with the security group is not restricted.

07 Repeat steps no. 4 – 6 for each EC2 security group available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EC2 security group available in the selected AWS region: 

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s): 

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
|  sg-0abcdabcdabcdabcd  |
+------------------------+

03 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter, to list all the outbound/egress rules defined for the selected security group: 

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissionsEgress[]'

04 The command output should return the requested configuration information: 

[
	{
		"IpProtocol": "-1",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [
			{
				"CidrIpv6": "::/0"
			}
		],
		"PrefixListIds": [],
		"UserIdGroupPairs": []
	}
]

To identify any outbound rules that allow unrestricted access, check the "CidrIp" and "CidrIpv6" attributes values. If one or more rules returned by the describe-security-groups command output are using "0.0.0.0/0" and/or "::/0" CIDRs, as shown in the output example above, the selected Amazon EC2 security group allows unrestricted outbound traffic, therefore the access to the Internet for the Amazon EC2 instances associated with the security group is not restricted.

05 Repeat steps no. 3 and 4 for each EC2 security group available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To update the outbound rule configuration for your Amazon EC2 security groups in order to restrict access to trusted destinations only (i.e. authorized IP addresses and IP ranges, or other security groups), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Allow outbound access to trusted destinations (IPs/IP ranges) only",
	"Resources":{
		"CustomSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
				"GroupDescription" : "HTTPS-based access security group",
				"GroupName" : "https-only-security-group",
				"VpcId" : "vpc-1234abcd",
				"SecurityGroupIngress" : [{
					"IpProtocol" : "tcp",
					"FromPort" : 443,
					"ToPort" : 443,
					"CidrIp" : "10.0.15.0/24"
				}],
				"SecurityGroupEgress" : [{
					"IpProtocol" : "tcp",
					"FromPort" : 443,
					"ToPort" : 443,
					"CidrIp" : "10.0.15.0/24"
				}]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
    Description: Allow outbound access to trusted destinations (IPs/IP ranges) only
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: HTTPS-based access security group
            GroupName: https-only-security-group
            VpcId: vpc-1234abcd
            SecurityGroupIngress:
            - IpProtocol: tcp
            FromPort: 443
            ToPort: 443
            CidrIp: 10.0.15.0/24
            SecurityGroupEgress:
            - IpProtocol: tcp
            FromPort: 443
            ToPort: 443
            CidrIp: 10.0.15.0/24

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "security-group" {
	name        = "https-only-security-group"
	description = "HTTPS-based access security group"
	vpc_id      = "vpc-1234abcd"

	# Allow outbound access to trusted destinations (IPs/IP ranges) only
	ingress {
		from_port        = 443
		to_port          = 443
		protocol         = "tcp"
		cidr_blocks      = ["10.0.15.0/24"]
	}

	egress {
		from_port        = 443
		to_port          = 443
		protocol         = "tcp"
		cidr_blocks      = ["10.0.15.0/24"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.

06 On the Edit outbound rules configuration page, change the traffic destination for any outbound/egress rule that allows unrestricted access, by performing one of the following actions:

  1. Select My IP from the Destination dropdown list to allow outbound traffic only to your current IP address.
  2. Select Custom from the Destination dropdown list and enter one of the following options based on your access requirements:
    • The static IP address of the permitted host in CIDR notation (e.g. 10.0.0.5/32).
    • The IP address range of the permitted network/subnetwork in CIDR notation, for example 10.0.15.0/24.
    • The name or ID of another security group available in the same AWS cloud region.
  3. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 to reconfigure other EC2 security groups that allow unrestricted outbound access.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-egress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right resource), to remove the outbound/egress rules that allow unrestricted access: 

aws ec2 revoke-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions IpProtocol=-1,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
  --query 'Return'

02 The command output should return true if the request succeeds. Otherwise, it should return an error: 

true

03 Run authorize-security-group-egress command (OSX/Linux/UNIX) to add the outbound rule removed at the previous step with a different set of parameters in order to restrict access to trusted destinations only (IP addresses, IP ranges, or security groups). To create and attach custom outbound/egress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command does not produce an output):

  1. Add an outbound rule that allows traffic to an authorized static IP address only, using CIDR notation (e.g. 10.0.0.5/32). Set the --protocol parameter value to tcp or udp based on your security group rule configuration: 
    aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 443
  --cidr 10.0.0.5/32
  2. Add an outbound/egress rule that allows traffic to a trusted IP address range, using CIDR notation (for example, 10.0.15.0/24). Configure the --protocol parameter value to tcp or udp based on your rule configuration: 
    aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 443
  --cidr 10.0.15.0/24
  3. Add an outbound rule that allows traffic to another security group (e.g. sg-01234123412341234) available in the same AWS cloud region. Set the --protocol parameter value to tcp or udp based on your security group rule configuration: 
    aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 443
  --source-group sg-01234123412341234

04 Repeat steps no. 1 – 3 to reconfigure other EC2 security groups that allow unrestricted outbound access.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the remediation process for other regions.

References

Publication date Jun 19, 2016

Related EC2 rules