Allowing unrestricted outbound communications can lead to data leaks.

A restrictive security group is an additional layer of protection that might prevent the abuse or exploitation of a resource. For example, it complicates the exfiltration of data in the case of a successfully exploited vulnerability.

When deciding if outgoing connections should be limited, consider that limiting the connections results in additional administration and maintenance work.

Ask Yourself Whether

• The resource has access to sensitive data.
• The resource is part of a private network.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to restrict outgoing connections to a set of trusted destinations.

Sensitive Code Example

For aws_cdk.aws_ec2.SecurityGroup:

from aws_cdk import (
    aws_ec2 as ec2
)

ec2.SecurityGroup(  # Sensitive; allow_all_outbound is enabled by default
    self,
    "example",
    vpc=vpc
)

Compliant Solution

For aws_cdk.aws_ec2.SecurityGroup:

from aws_cdk import (
    aws_ec2 as ec2
)

sg = ec2.SecurityGroup(
    self,
    "example",
    vpc=vpc,
    allow_all_outbound=False
)

sg.add_egress_rule(
    peer=ec2.Peer.ipv4("203.0.113.127/32"),
    connection=ec2.Port.tcp(443)
)

See

• OWASP Top 10 2021 Category A1 - Broken Access Control
• AWS Documentation - Control traffic to resources using security groups
• MITRE, CWE-284 - Improper Access Control
• OWASP Top 10 2017 Category A5 - Broken Access Control