Egress Rule Not Configured to Restrict Outbound Traffic Affecting VPC service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Firewall

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00748
  • creditSnyk Research Team

Description

Allowing all outbound traffic by default due to missing egress rules can lead to data exfiltration and unauthorized external communications. Explicitly configuring egress rules helps in maintaining a least privilege network posture by only permitting necessary outbound connections.

How to fix?

Set the egress attribute in aws_network_acl resource.

Example Configuration


resource "aws_network_acl" "allow1" {
  vpc_id = aws_vpc.main.id

  egress {
    protocol   = "tcp"
    rule_no    = 200
    action     = "allow"
    cidr_block = "10.3.0.0/18"
    from_port  = 443
    to_port    = 443
  }

  ingress {
    protocol   = "tcp"
    rule_no    = 100
    action     = "allow"
    cidr_block = "10.3.0.0/18"
    from_port  = 80
    to_port    = 80
  }

}