Reputation: 1065

Restrict AWS EC2 outbound traffic with a security group

I want to restrict outbound traffic for my EC2 instance, to only allow outbound connections to AWS services such as ECR, EFS. However these services dont have static ip addresses, so I cant add this to the security groups. Is there a common way to do this which I have missed?

Upvotes: 0

Answers (4)

nnsense

Reputation: 1626

There are services exposing their IPs like EFS, FSx, RDS, etc in which case the IP would at least appear into your "Network Interfaces" on the EC2 page so that you can apply your Security Group rule.

In some cases, such as EFS, it even asks you to apply a SG during the creation. ECS has EC2 instances deployed if it isn't using Fargate. ECR is restricted at app layer, but you can further restrict/allow IPs with a policy.

So, there's always a way to know the IPs to allow/restrict or a way to do it and, if the service has no IP, then yes, you'll not be able to add it to a Security Group, but an attacker won't be able to target it too.

For what concern those AWS services your instance must contact in order to work, they are allowed by default, see the AWS documentation:

Amazon security groups and network ACLs do not filter traffic destined to and from the following Amazon services:

Amazon Domain Name Services (DNS)

Amazon Dynamic Host Configuration Protocol (DHCP)

Amazon EC2 instance metadata

Amazon Windows license activation

Amazon Time Sync Service

Reserved IP address of the default VPC router

So, there are no chance you can (accidentally) restrict access to AWS internal services (such IAM).

Upvotes: 0

Usha.Opus

Reputation: 21

I know its a very very old question, stumbled across this while trying to figure this out myself. By default AWS security groups allow all outbound traffic. Outbound traffic can be blocked by