Skip to content

Files

Latest commit

 

History

History
29 lines (20 loc) · 631 Bytes

AWS007.md

File metadata and controls

29 lines (20 loc) · 631 Bytes

Pattern: An egress security group rule allows traffic to /0

Issue: -

Description

Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

Resolution: Set a more restrictive cidr range.

Examples

Example of incorrect code:

resource "aws_security_group_rule" "bad_example" {
	type = "egress"
	cidr_blocks = ["0.0.0.0/0"]
}

Example of correct code:

resource "aws_security_group_rule" "good_example" {
	type = "egress"
	cidr_blocks = ["10.0.0.0/16"]
}