Egress Rule Not Configured to Restrict Outbound Traffic Affecting VPC service in AWS

Snyk CCSS

Network / Firewall

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00748
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Allowing all outbound traffic by default due to missing egress rules can lead to data exfiltration and unauthorized external communications. Explicitly configuring egress rules helps in maintaining a least privilege network posture by only permitting necessary outbound connections.

How to fix?

Set the egress attribute in aws_network_acl resource.

Example Configuration


resource "aws_network_acl" "allow1" {
  vpc_id = aws_vpc.main.id

  egress {
    protocol   = "tcp"
    rule_no    = 200
    action     = "allow"
    cidr_block = "10.3.0.0/18"
    from_port  = 443
    to_port    = 443
  }

  ingress {
    protocol   = "tcp"
    rule_no    = 100
    action     = "allow"
    cidr_block = "10.3.0.0/18"
    from_port  = 80
    to_port    = 80
  }

}

Egress Rule Not Configured to Restrict Outbound Traffic Affecting VPC service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform