VPC default security group allows unrestricted egress traffic Affecting VPC service in AWS

Severity Framework Snyk CCSS

Rule category Network / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00328
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Traffic from a resource could reach any destination. In the event of a breach, this means data could be uploaded externally or additional resources targeted.

How to fix?

Update the cidr_block attribute with a more restrictive IP range or a specific IP address to ensure traffic can only reach known destinations.

CloudFormation

Resource: AWS::EC2::SecurityGroup
Field: SecurityGroupIngress

Terraform

Resource: aws_default_security_group
Field: ingress
Field: egress

References

Security Groups for Your VPC
Adding, Removing, and Updating Rules