Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Network/ Best Practices
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCSA-CCM
- Snyk IDSNYK-CC-00262
- creditSnyk Research Team
Description
Open egress can be used to exfiltrate data to unauthorized destinations and enable access to potentially malicious resources.
How to fix?
Set the cidr_blocks/ipv6_cidr_blocks attribute with a more restrictive CIDR block, for example 192.16.0.0/24/2402:9400:10::/48.
Example configuration:
# aws_security_group example
resource "aws_security_group" "allowed" {
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["192.168.1.0/24"]
}
}
# aws_security_group_rule example
resource "aws_security_group_rule" "allowed" {
from_port = 0
to_port = 65535
protocol = "tcp"
security_group_id = "sg-12345678"
type = "egress"
cidr_blocks = ["192.16.0.0/24"]
}
Set Properties.SecurityGroupEgress.CidrIp attribute to specific ranges e.g. 192.168.1.0/24.