I am trying to set an AWS Security Group egress rule which blocks all outbound traffic. It has been known that by default, security groups allow all outbound traffic.
I am using AWS CloudFormation and how should we define the appropriate security egress rule?
An AWS security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Both inbound and outbound rules control the flow of traffic to and traffic from your instance, respectively.
When you first create a security group, it has an outbound rule that allows all outbound traffic from the resource. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.
Sign in to the AWS Management Console using the Firewall Manager administrator account, then navigate to Firewall Manager in the Console and choose Security policies. Specify the correct AWS Region your policy should be deployed to, and then choose Create policy. Under Policy type, choose Security group.
To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your VPC. Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources.
Even though CloudFormation does not allow an empty SecurityGroupEgress
or SecurityGroupIngress
properties, you can trick it by allowing allowing all outbound traffic to localhost only:
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
InstanceSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupName: block-outbound
GroupDescription: Allow http to client host
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 127.0.0.1/32
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
VpcId: !Ref myVPC
This will achieve your aim of blocking all outbound traffic.
Security Groups always define ALLOW traffic. There is no concept of a DENY for security groups.
Therefore, if you wish to deny all traffic, simply have an empty Security Group.
However, please note that Security Groups are stateful. This means that, if the Inbound security group permits a connection (eg a request coming into a web server), the response will be automatically permitted to exit the server. Therefore, it is only truly blocked if both the inbound and outbound security groups are empty (depending upon your configuration).
Other options for blocking the server are a host-based firewall rule (that is, a configuration within the operating system) or the use of Network Access Control Lists (NACLs) that operate at the Subnet level. NACLs have DENY rules that can block traffic in/out of a Subnet (but not to a specific instance).
Update
It turns out that, if no Egress rules are supplied, then the default "Allow All" rule is applied to the security group.
Therefore, you need to supply a rule that does nothing, so that the default rule doesn't apply.
For example:
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "1",
"ToPort": "1",
"CidrIp": "0.0.0.0/32"
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With