Unrestricted Outbound Access on All Ports

Risk level: Medium (should be achieved)

Rule ID: EC2-033

Check your EC2 security groups for outbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to any TCP/UDP ports and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Allowing unrestricted (0.0.0.0/0 or ::/0) outbound/egress access can increase opportunities for malicious activity such as such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

Audit

To determine if your EC2 security groups allow unrestricted outbound access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the EC2 security group that you want to examine.

05 Select the Outbound tab from the dashboard bottom panel.

06 Verify the value available in the Destination column for any outbound/egress rules defined. If one or more rules have the destination set to 0.0.0.0/0 or ::/0 (Anywhere), the selected security group allows unrestricted outbound traffic, therefore the access to the Internet for any EC2 instances associated with the security group is not restricted.

07 Repeat steps no. 4 – 6 to verify other EC2 security groups available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested IDs:

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-5008682b         |
|  sg-960167ed         |
|  sg-6e74d321         |
+----------------------+

03 Run again describe-security-groups command (OSX/Linux/UNIX) using an ID returned at the previous step as identifier and custom filtering to list all the outbound rules defined for the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-5008682b
	--query 'SecurityGroups[*].IpPermissionsEgress[]'

04 The command output should return the requested outbound rules metadata:

[
    {
        "PrefixListIds": [],
        "FromPort": 80,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 80,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    },

    ...

    {
        "PrefixListIds": [],
        "FromPort": 443,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 443,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    }
]

Each JSON object returned at the previous step represents an outbound rule metadata. To identify any rules that allow unrestricted access, verify the CidrIp parameters value. If one or more rules returned have the CidrIp value set to 0.0.0.0/0 or ::/0, the selected security group allows unrestricted outbound traffic, therefore the access to the Internet for any EC2 instances associated with the security group is not restricted.

05 Repeat step no. 3 and 4 to verify other EC2 security groups available in the current region.

06 Repeat steps no. 1 – 5 to perform the audit process for other AWS regions.

Remediation / Resolution

To update your EC2 security groups outbound configuration in order to restrict access to specific destinations (IP addresses, IP ranges, etc), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the appropriate security group (see Audit section to identify the right one(s)).

05 Select the Outbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit outbound rules dialog box, change the traffic Destination for any outbound rules that allow unrestricted access (0.0.0.0/0), by performing one of the following actions:

Select My IP from the Destination dropdown list to allow outbound traffic only to your machine (to your public IP address).
Select Custom from the Destination dropdown list and enter one of the following options based on your access requirements:
- The static IP/Elastic IP address of the permitted host with the suffix set to /32, e.g. 56.160.52.238/32.
- The IP address range of the permitted hosts in CIDR notation, for example 56.160.52.238/24.
- The name or ID of another security group available in the same AWS region.

07 Click Save to apply the changes.

08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow unrestricted outbound access.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run revoke-security-group-egress command (OSX/Linux/UNIX) to remove the outbound rule(s) that allow unrestricted access (0.0.0.0/0) from the selected EC2 security group. Set the --protocol parameter value to tcp or udp based on your needs (the command does not return an output):

aws ec2 revoke-security-group-egress
	--region us-east-1
	--group-id sg-5008682b
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

02 Run authorize-security-group-egress command (OSX/Linux/UNIX) to add the egress rules removed at the previous step with a different set of parameters in order to restrict outbound access to specific destinations. To add custom outbound/egress rules to the selected security group, use one of the following options (the command does not produce an output):

Add an outbound rule that allows access only to the IP address range of the permitted hosts:

aws ec2 authorize-security-group-egress
--region us-east-1
--group-id sg-5008682b
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "56.160.52.238/24"}]}]'

Add an outbound rule that allows access only to another EC2 security group in the same AWS region:

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-5008682b
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "UserIdGroupPairs": [{"GroupId": "sg-960167ed"}]}]'

03 Change the IpProtocol, FromPort/ToPort and/or CidrIp/UserIdGroupPairs parameters value based on your access requirements and repeat step no. 1 and 2 to update any other EC2 security groups that allow unrestricted outbound access, using AWS CLI.

04 Repeat steps no. 1 - 3 to implement the entire process for other AWS regions.

References

AWS Documentation
Amazon EC2 Security Groups for Linux Instances
Security Groups for Your VPC

AWS Command Line Interface (CLI) Documentation
ec2
describe-security-groups
revoke-security-group-egress
authorize-security-group-egress

Publication date Jun 19, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Unrestricted Outbound Access on All Ports

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules