Allowing unrestricted outbound communications from a security group can enable compromised resources to exfiltrate data or communicate with attacker-controlled servers.

Why is this an issue?

When a security group allows all outbound communications, applications or services within the security group can send data to any external IP address or port without restriction. If a resource within the security group becomes compromised, attackers could send malicious traffic or exfiltrate data to external servers. This risk exists even if the resource is not directly exposed to the internet, such as a supply chain attack.

What is the potential impact?

Data exfiltration

If a resource within the security group becomes compromised, unrestricted outbound access allows an attacker to silently send sensitive data such as credentials or database contents to external servers.

Malicious traffic propagation

A compromised resource can use unrestricted outbound access to communicate with attacker-controlled command-and-control servers or participate in DDoS attacks, probe internal network segments, or spread malware to other hosts.

How to fix it

Code examples

The following code example is vulnerable because the allow_all_outbound parameter is not explicitly set to False, which causes the security group to allow all outbound traffic by default.

Noncompliant code example

from aws_cdk import (
    aws_ec2 as ec2
)

ec2.SecurityGroup(  # Noncompliant: allow_all_outbound is enabled by default
    self,
    "example",
    vpc=vpc
)

Compliant solution

from aws_cdk import (
    aws_ec2 as ec2
)

sg = ec2.SecurityGroup(
    self,
    "example",
    vpc=vpc,
    allow_all_outbound=False
)

sg.add_egress_rule(
    peer=ec2.Peer.ipv4("203.0.113.127/32"),
    connection=ec2.Port.tcp(443)
)

Resources

Documentation

• AWS Documentation - Control traffic to resources using security groups
• AWS CDK Documentation - SecurityGroup

Standards

• CWE - CWE-284 - Improper Access Control