Reputation: 19382
AWS Cloudformation: Security Group Rule to allow all egress
I am using the following egress rule in a security group definition of a cloudformation template
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
However this does not end up in a rule that allow all outbound traffic;
What is the proper way to define an allow-all-outbound rule?
Upvotes: 9
Views: 15200
Answers (2)
Reputation: 420
This is an old thread, but people still find it in searches... True, there are times the default doesn't work well, such as when using cfn_nag_scan to scan the cft.
Here is what you are looking for:
SecurityGroupEgress:
- Description: Allow all outbound traffic
IpProtocol: "-1"
CidrIp: 0.0.0.0/0
Upvotes: 20
Reputation: 1187
I must add this info from the AWS documentation, as defining such a policy might not be necessary,
"When you create a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. "
here's the link, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#w2ab1c21c10d473c17
Typically, you define some specific port/protocol.
Upvotes: 5
Related Questions
- How do I add a cloudformation security group ingress rule that refers to another security group?
- Is it possible to delete the aws Security Group Default Egress allow all Rule with Cloudformation?
- Adding rule to the security group which is created automatically
- AWS Cloudformation - Add condition to security group egress rule
- Cloudformation Security Group configuration using list
- AWS CloudFormation use existing security group
- AWS Cloudformation: Security group is not valid
- AWS CloudFormation: Creating Security Group fails while it is referencing another security
- Cloudformation security group set group name
- Security Group not accepting in CloudFormation Template