Severity Framework
Snyk CCSS
Rule category
Network / Best Practices
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CSA-CCM
- Snyk ID SNYK-CC-00262
- credit Snyk Research Team
Description
Open egress can be used to exfiltrate data to unauthorized destinations and enable access to potentially malicious resources.
How to fix?
Set the cidr_blocks/ipv6_cidr_blocks attribute with a more restrictive CIDR block, for example 192.16.0.0/24/2402:9400:10::/48.
Example Configuration
# aws_security_group example
resource "aws_security_group" "allowed" {
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["192.168.1.0/24"]
}
}
# aws_security_group_rule example
resource "aws_security_group_rule" "allowed" {
from_port = 0
to_port = 65535
protocol = "tcp"
security_group_id = "sg-12345678"
type = "egress"
cidr_blocks = ["192.16.0.0/24"]
}