Security group egress with port range
This product is not supported for your selected
Datadog site. (
).
Id: dae9c373-8287-462f-8746-6f93dad93610
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
Learn More
Description
Egress rules should restrict outbound traffic to a single explicit port to enforce least privilege. Allowing port ranges expands the attack surface and can enable unintended outbound connections, lateral movement, or data exfiltration.
In CloudFormation, AWS::EC2::SecurityGroupEgress resources must have Properties.FromPort and Properties.ToPort defined and set to the same value. For AWS::EC2::SecurityGroup resources, each entry in Properties.SecurityGroupEgress must have FromPort equal to ToPort. Resources missing these properties, or where FromPort does not equal ToPort, will be flagged. Set both properties to the same explicit port number (for example, 443) instead of using a range.
Secure configuration examples:
MyEgressRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: sg-01234567
IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 10.0.0.0/16
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Example security group
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 10.0.0.0/16
Compliant Code Examples
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 0
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 0
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
{
"Resources": {
"InstanceSecurityGroup": {
"Properties": {
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"Description": "TCP"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"Description": "TCP",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"GroupDescription": "Allow http to client host"
},
"Type": "AWS::EC2::SecurityGroup"
},
"OutboundRule": {
"Properties": {
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 0,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"Description": "TCP"
},
"Type": "AWS::EC2::SecurityGroupEgress"
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 0,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"Description": "TCP",
"FromPort": 80,
"ToPort": 87,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupEgress": [
{
"Description": "TCP",
"FromPort": 80,
"ToPort": 87,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
]
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"Description": "TCP"
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
}
}
}
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 87
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 87
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
