Reputation: 1111
How to deny all outbound traffic from an AWS EC2 Instance using a Security Group?
I am trying to set an AWS Security Group egress rule which blocks all outbound traffic. It has been known that by default, security groups allow all outbound traffic.
I am using AWS CloudFormation and how should we define the appropriate security egress rule?
Upvotes: 18
Views: 28292
Answers (4)
Reputation: 10117
Even though CloudFormation does not allow an empty SecurityGroupEgress or SecurityGroupIngress properties, you can trick it by allowing allowing all outbound traffic to localhost only:
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
InstanceSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupName: block-outbound
GroupDescription: Allow http to client host
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 127.0.0.1/32
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
VpcId: !Ref myVPC
This will achieve your aim of blocking all outbound traffic.
Upvotes: 15
Reputation: 270184
Security Groups always define ALLOW traffic. There is no concept of a DENY for security groups.
Therefore, if you wish to deny all traffic, simply have an empty Security Group.
However, please note that Security Groups are stateful. This means that, if the Inbound security group permits a connection (eg a request coming into a web server), the response will be automatically permitted to exit the server. Therefore, it is only truly blocked if both the inbound and outbound security groups are empty (depending upon your configuration).
Other options for blocking the server are a host-based firewall rule (that is, a configuration within the operating system) or the use of Network Access Control Lists (NACLs) that operate at the Subnet level. NACLs have DENY rules that can block traffic in/out of a Subnet (but not to a specific instance).
Update
It turns out that, if no Egress rules are supplied, then the default "Allow All" rule is applied to the security group.
Therefore, you need to supply a rule that does nothing, so that the default rule doesn't apply.
For example:
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "1",
"ToPort": "1",
"CidrIp": "0.0.0.0/32"
}
]
}
}
Upvotes: 29
Reputation: 66
Security groups aren't intended to block the traffic. They are permissive in nature. If you want to block the outbound traffic on certain IP/Range then use Access Control on VPC which will block or allow ingress or outgress traffic according to your rules.
Upvotes: 0
Reputation: 19758
In your CloudFormation script, you can include the custom rules under 'SecurityGroupEgress' attribute as shown below.
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Allow http to client host",
"VpcId" : {"Ref" : "myVPC"},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}]
}
}
For more details check the AWS UserGuide.
Upvotes: -2
Related Questions
- Outbound rules in a security group
- Inbound rules for security groups
- Restrict AWS EC2 outbound traffic with a security group
- How to create an AWS policy that restricts users from creating a security group that allows all inbound traffic?
- AWS Cloudformation: Security Group Rule to allow all egress
- Block outbound traffic on EC2
- How can i customised outbound rules of ec2 instance for particular IP's
- EC2 Security Group inbound rule not working as expected
- Allow only AWS Specific HTTP and HTTPS request from security group
- How do I use AWS security groups to whitelist only certain EC2 instances?