Close the Gate: Why You Need Egress Controls in your Security Groups

Network engineers and security professionals spent decades securing on prem
networks. Today many workloads run in the cloud. 10 years ago if you wanted
build out infrastructure you needed purchase orders and months of lead time.
Today you only need a credit card to build out the same thing in the cloud.

Agile delivery and DevOps means developers with little network or security
knowledge are often put in charge of building and managing cloud environments.
Many introductory tutorials omit a lot of the necessary security controls. In
the case of AWS many of the default settings don’t implement security best
practices or even encourage users to implement the recommendations from Amazon’s
own Well Architected
Framework.

• BEST Webhosting

  Explore a comprehensive array of web hosting services designed to cater to various needs. Whether you’re an individual looking for reliable personal hosting or a business requiring high-performance solutions, BEST Webhosting offers tailored options to ensure optimal website performance, robust security, and 24/7 support.

• Unveiling the Pillars of Web Hosting

  Web hosting is the backbone of a digital presence, providing the infrastructure necessary to publish and maintain websites online. This article delves deep into the essentials of web hosting, guiding individuals and businesses to make informed decisions. Learn about hosting types, server performance, and scalability options to choose the perfect fit for your online goals.

• Digital Experience and Coding a New Website

  Building a website today involves more than creating an online presence; it’s about delivering an exceptional digital experience. This piece explores modern website design principles, user experience strategies, and advanced coding techniques. It highlights how a well-crafted website can effectively convey your brand message, captivate audiences, and drive business success.

• How to Buy a .com.au Domain: A Buyer’s Guide to .com.au Domains

  This guide is a must-read for startups and established businesses aiming to enhance their Australian online presence. Learn the steps to secure a .com.au domain that aligns perfectly with your brand identity. The article provides insights into domain registration requirements, tips for choosing a memorable domain name, and the benefits of a local domain for SEO.

• Incredible Ideas deserve Incredible DomainsWith Rapid Registration, your domain is registered almost instantly, meaning you don’t have to wait to get your business or name online!
• Edge of Technology, Digital Transformation, and Cloud Computing

  Staying competitive in today’s fast-paced digital landscape requires leveraging cutting-edge technologies. This article explores the vital roles of Digital Transformation (DT) and Cloud Computing in modern business strategies. Understand how these technologies drive efficiency, foster innovation, and enable organisations to scale operations seamlessly.

• The Best WordPress Plugins for Email Marketing to Grow and Engage Your Subscriber List

  Email marketing remains a powerful tool for audience engagement and lead conversion. Discover top WordPress plugins like Mailchimp, Constant Contact, OptinMonster, and Thrive Leads. This article provides detailed guidance on creating effective opt-in forms, segmenting email lists, automating campaigns, and tracking metrics for successful email marketing strategies.

• The Best WordPress Caching Plugins to Optimize Site Speed and Performance

  Website speed and performance are crucial for user experience and SEO rankings. This detailed review covers the most effective WordPress caching plugins, including W3 Total Cache, WP Super Cache, WP Rocket, WP Fastest Cache, and LiteSpeed Cache. Learn how these plugins enhance site performance by minimising load times and optimising server resources.

One of the areas where this is most glaring is security groups and more
specifically egress controls. The AWS console, CLI and SDKs default to allowing
all traffic to exit security groups. Sure this makes it easy to connect to the
internet from your application. It also makes it very easy for an attacker
wanting to exfiltrate data once they have compromised resources in your stack.

Information security has the concept of “assume breach”. The idea behind this is
that applications and infrastructure are architected in such a way that the
impact of any breach is minimised. Make life difficult once an attacker has
broken through your defences.

Not allowing open egress is an important component of your security controls.
Generally developers know what inbound connections should be allowed for their
environments. 443/tcp to the load balancer, 22/tcp to the bastion and so on.
When it comes to outbound connections more often than not developers use the
default option — open.

Teams should adopt the same allow listing approach to egress that has been a
standard security control for ingress for over 2 decades. It takes a small
amount of time upfront to identify all the legitimate connections required
within an environment. Still it takes a lot longer to deal with a breach where
the attacker was able to easily extract all of your data.

Developers need to know what network connections their application makes. If
you’re building immutable infrastructure there’s no need to connect to operating
system package repositories. Similarly your bastion should only allow
connections to the database nodes. Generally a connection to an IRC server or
third party DNS is an indicator of compromise.

Say your load balancer is in the load-balancer security group and your web
servers are in the web security group; you need a rule allowing traffic out
load-balancer for 443/tcp (or 80/tcp if you’re offloading TLS at the load
balancer) with a target of the web security group. Then in the web security
group, you need to allow 443/tcp (or 80/tcp) from the load balancer group. The
web servers need to connect to the RDS instances, so that means two new rules –
one to allow 3306/tcp the web group to connect to the db group and one to allow
3306/tcp from the web group into the db group. Then there’s the connection to
the S3 endpoint, the resources used by the CodePipeline and so on.

Managing all of these two sided or “mutual” security group rules gets tedious.

For many teams, determining the appropriate rules is challenging. The effort
involved in manually creating mutual rules kills any prospect of it happening in
existing environments. If you’re using terraform it doesn’t need to be like
that.

While trying to roll out mutual security group rules at scale, I realised a need
for a module to make this easier. That module is now available on the Terraform
Registry as
skwashd/mutual-security-groups/aws.
Drop this module into your configuration and specify the connections between
your security groups.

Using the example above for our web servers we could use something like this to
allow the connections needed for our application to function properly:

module "mutual-security-groups" {
  source  = "skwashd/mutual-security-groups/aws"
  version = "1.0.0"
  rules = [
     {
         source_sg_id = "sg-a1ba1"
         target_sg_id = "sg-80443"
         destination_port = "80"
         description = "Allow HTTP from the ALB to webs"
     },
     {
         source_sg_id = "sg-80443"
         target_sg_id = "sg-db3306"
         destination_port = "3306"
         description = "Allow webs to RDS"
     },
     {
         source_sg_id = "sg-80443"
         target_sg_id = "sg-f113s"
         destination_port = "443"
         description = "Allow webs to S3 endpoint"
     }
  ]
}

Internally the module uses the aws_security_group_rule
resource
to create the security group rules. This means in your other modules you can
define the security groups with egress locked down and the module will setup the
rules properly for you.