Close the Gate: Why You Need Egress Controls in your Security Groups

Network engineers and security professionals spent decades securing on prem
networks. Today many workloads run in the cloud. 10 years ago if you wanted
build out infrastructure you needed purchase orders and months of lead time.
Today you only need a credit card to build out the same thing in the cloud.

Agile delivery and DevOps means developers with little network or security
knowledge are often put in charge of building and managing cloud environments.
Many introductory tutorials omit a lot of the necessary security controls. In
the case of AWS many of the default settings don’t implement security best
practices or even encourage users to implement the recommendations from Amazon’s
own Well Architected
Framework.

One of the areas where this is most glaring is security groups and more
specifically egress controls. The AWS console, CLI and SDKs default to allowing
all traffic to exit security groups. Sure this makes it easy to connect to the
internet from your application. It also makes it very easy for an attacker
wanting to exfiltrate data once they have compromised resources in your stack.

Information security has the concept of “assume breach”. The idea behind this is
that applications and infrastructure are architected in such a way that the
impact of any breach is minimised. Make life difficult once an attacker has
broken through your defences.

Not allowing open egress is an important component of your security controls.
Generally developers know what inbound connections should be allowed for their
environments. 443/tcp to the load balancer, 22/tcp to the bastion and so on.
When it comes to outbound connections more often than not developers use the
default option — open.

Teams should adopt the same allow listing approach to egress that has been a
standard security control for ingress for over 2 decades. It takes a small
amount of time upfront to identify all the legitimate connections required
within an environment. Still it takes a lot longer to deal with a breach where
the attacker was able to easily extract all of your data.

Developers need to know what network connections their application makes. If
you’re building immutable infrastructure there’s no need to connect to operating
system package repositories. Similarly your bastion should only allow
connections to the database nodes. Generally a connection to an IRC server or
third party DNS is an indicator of compromise.

Say your load balancer is in the load-balancer security group and your web
servers are in the web security group; you need a rule allowing traffic out
load-balancer for 443/tcp (or 80/tcp if you’re offloading TLS at the load
balancer) with a target of the web security group. Then in the web security
group, you need to allow 443/tcp (or 80/tcp) from the load balancer group. The
web servers need to connect to the RDS instances, so that means two new rules –
one to allow 3306/tcp the web group to connect to the db group and one to allow
3306/tcp from the web group into the db group. Then there’s the connection to
the S3 endpoint, the resources used by the CodePipeline and so on.

Managing all of these two sided or “mutual” security group rules gets tedious.

For many teams, determining the appropriate rules is challenging. The effort
involved in manually creating mutual rules kills any prospect of it happening in
existing environments. If you’re using terraform it doesn’t need to be like
that.

While trying to roll out mutual security group rules at scale, I realised a need
for a module to make this easier. That module is now available on the Terraform
Registry as
skwashd/mutual-security-groups/aws.
Drop this module into your configuration and specify the connections between
your security groups.

Using the example above for our web servers we could use something like this to
allow the connections needed for our application to function properly:

module "mutual-security-groups" {
  source  = "skwashd/mutual-security-groups/aws"
  version = "1.0.0"
  rules = [
     {
         source_sg_id = "sg-a1ba1"
         target_sg_id = "sg-80443"
         destination_port = "80"
         description = "Allow HTTP from the ALB to webs"
     },
     {
         source_sg_id = "sg-80443"
         target_sg_id = "sg-db3306"
         destination_port = "3306"
         description = "Allow webs to RDS"
     },
     {
         source_sg_id = "sg-80443"
         target_sg_id = "sg-f113s"
         destination_port = "443"
         description = "Allow webs to S3 endpoint"
     }
  ]
}

Internally the module uses the aws_security_group_rule
resource
to create the security group rules. This means in your other modules you can
define the security groups with egress locked down and the module will setup the
rules properly for you.

15 Essential WordPress Plugins For Every Site

WordPress is the most widely used content management system (CMS) in the world, powering over 40% of all websites. One of the key reasons for its popularity is its vast selection of plugins. WordPress plugins are pieces of software that can be added to your site to enhance its functionality, design, and performance. Plugins are... […]

Exploring Premium WordPress Themes Our Recommendations

WordPress is one of the most popular and user-friendly content management systems for creating websites. With its vast library of themes, users have the option to choose from both free and premium options. Premium WordPress themes offer more advanced features and customization options, making them a preferred choice for many website owners. Premium WordPress themes... […]

Analyzing Chat GPT Impact on Stock Markets: An Expert’s Take

Curious about the impact of ChatGPT on stock markets? We’ll explore the role of ChatGPT in stock market analysis, highlighting its benefits and limitations. From enhanced data processing to improved decision-making, we’ll discuss how ChatGPT can aid in making investment decisions. Learn how to utilize ChatGPT for stock market analysis and the potential impact of... […]

Exploring Free Chat GPT Platforms for Enhanced Communication

In today’s digital age, communication has evolved with the help of advanced technologies like Chat GPT platforms. These tools offer a new way to interact and engage with others, enhancing the overall communication experience. We will delve into the world of free Chat GPT platforms, exploring their features, benefits, and how they can revolutionize the... […]

Unveiling the Sinister Truth Behind the ‘Dead Internet Theory’ and its AI-Run Web

The “dead internet theory” suggests that artificial intelligence (AI) and bot-generated content have overtaken human-generated content on the internet. This theory has gained attention due to the popularity of AI-generated images of shrimp Jesus on platforms like Facebook.… The post Unveiling the Sinister Truth Behind the ‘Dead Internet Theory’ and its AI-Run Web appeared first […]

I use this everyday

??Join the NetworkChuck Academy!: https://ntck.co/NCAcademy Dive into this Five Minute Friday with NetworkChuck as he unveils a game-changing tip for tech enthusiasts: copying and pasting in the terminal!… The post I use this everyday appeared first on WIREDGORILLA.

Close the Gate: Why You Need Egress Controls in your Security Groups

Fresh Resources for Web Designers and Developers (July 2023)

Modern Technology And The Future Of Language Translation — Smashing Magazine

8 Super Useful WordPress Plugins for Your Website – Web Design Ledger

7 Graphic Design Tools I Can’t Live Without in 2020

Revealing Images With CSS Mask Animations — Smashing Magazine

Living In The Moment (August 2023 Wallpapers Edition) — Smashing Magazine

BEST Web Hosting

LINUX Punx

Drupal Hosting

Similar Posts