Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to deny all outbound traffic from an AWS EC2 Instance using a Security Group?

I am trying to set an AWS Security Group egress rule which blocks all outbound traffic. It has been known that by default, security groups allow all outbound traffic.

I am using AWS CloudFormation and how should we define the appropriate security egress rule?

like image 745
Chiranga Alwis Avatar asked Aug 11 '17 08:08

Chiranga Alwis


People also ask

Do EC2 security groups control incoming and outgoing traffic?

An AWS security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Both inbound and outbound rules control the flow of traffic to and traffic from your instance, respectively.

What is outbound rule in security group?

When you first create a security group, it has an outbound rule that allows all outbound traffic from the resource. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

How do I restrict a security group in AWS?

Sign in to the AWS Management Console using the Firewall Manager administrator account, then navigate to Firewall Manager in the Console and choose Security policies. Specify the correct AWS Region your policy should be deployed to, and then choose Create policy. Under Policy type, choose Security group.

What's the best way to protect the EC2 instance from unwanted traffic?

To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your VPC. Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources.


2 Answers

Even though CloudFormation does not allow an empty SecurityGroupEgress or SecurityGroupIngress properties, you can trick it by allowing allowing all outbound traffic to localhost only:

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  InstanceSecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties: 
      GroupName: block-outbound
      GroupDescription: Allow http to client host
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 127.0.0.1/32
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      VpcId: !Ref myVPC

This will achieve your aim of blocking all outbound traffic.

like image 183
Raf Avatar answered Sep 16 '22 21:09

Raf


Security Groups always define ALLOW traffic. There is no concept of a DENY for security groups.

Therefore, if you wish to deny all traffic, simply have an empty Security Group.

However, please note that Security Groups are stateful. This means that, if the Inbound security group permits a connection (eg a request coming into a web server), the response will be automatically permitted to exit the server. Therefore, it is only truly blocked if both the inbound and outbound security groups are empty (depending upon your configuration).

Other options for blocking the server are a host-based firewall rule (that is, a configuration within the operating system) or the use of Network Access Control Lists (NACLs) that operate at the Subnet level. NACLs have DENY rules that can block traffic in/out of a Subnet (but not to a specific instance).

Update

It turns out that, if no Egress rules are supplied, then the default "Allow All" rule is applied to the security group.

Therefore, you need to supply a rule that does nothing, so that the default rule doesn't apply.

For example:

"InstanceSecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "VpcId": {
      "Ref": "VPC"
    },
    "SecurityGroupIngress": [
      {
        "IpProtocol": "tcp",
        "FromPort": "80",
        "ToPort": "80",
        "CidrIp": "0.0.0.0/0"
      }
    ],
    "SecurityGroupEgress": [
      {
        "IpProtocol": "tcp",
        "FromPort": "1",
        "ToPort": "1",
        "CidrIp": "0.0.0.0/32"
      }
    ]
  }
like image 45
John Rotenstein Avatar answered Sep 17 '22 21:09

John Rotenstein