Home Why Amazon VPC outbound traffic needs to be restricted?

Why Amazon VPC outbound traffic needs to be restricted?

-

Cloud security is one of the major concerns of cloud computing. Organizations want their cloud environment to be as secure as possible as their dependency over the cloud is increasing day by day due to the deployment of the majority of their resources on the cloud. Amazon VPC is responsible for managing the entire networking aspect of AWS cloud infrastructure. It is necessary to follow certain recommendations given related to outbound security group rule which will help to further enhance security levels of your cloud infrastructure.

Why it is necessary for a security group to restrict outbound traffic in Amazon VPC?

AWS allows users to associate their VPC with a security group. As discussed earlier in our insider piece, a security group is like a firewall that controls the inbound or outbound (incoming or outgoing) traffic for your instances. If no security group is assigned to an instance in Amazon VPC, then it is automatically assigned to the default security group of the VPC which allows public access to all the associated resources.

By default, a security group includes an outbound rule allowing all outbound traffic related to instances attached to the security group. It is recommended that user should remove this rule and add its own custom outbound rules that allow outbound traffic to specific hosts or sources only.

Adding inbound and outbound rules help in enhancing the security of your cloud infrastructure as they allow incoming and outgoing traffic only to specified sources. Therefore, it becomes important to ensure that security group restricts all outbound traffic.

How can Centilytics help you?

Centilytics provides a dedicated insight regarding this default security groups rule and shows the status of all the security group and specifies whether security group restricts outbound traffic or not. This allows users to act against their default security group in their AWS account and ensure the safety of their cloud infrastructure.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
OK This indication will be displayed when the corresponding security group in Amazon VPC has a custom outbound rule which denies all outbound traffic.
AWS EBS PUBLIC SNAPSHOTCRITICAL This indication will be displayed when the corresponding security group does not have a custom outbound rule. Instead, it has the default outbound rule which allows all outbound traffic.

 

Description of further columns are as follows:

  1. Account Id: This column Shows the respective account ID of the user’s account.AWS VPC Outbound traffic-ss1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS VPC Outbound traffic-ss2
  3. Security Group Id: This column shows the corresponding unique security group ID of the security group which is used to identify and differentiate among different security groups.AWS VPC Outbound traffic-ss3
  1. Security Group Name: This column shows the corresponding name of the security group.AWS VPC Outbound traffic-ss4

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g.- If the user has tagged some resource by a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. If the user has tagged some resource by a tag named environment and has given it a value say production (environment:production), then the user will be able to view data of all the resources which are tagged as “environment:production”.  The user can use the tag value filter only when a tag name has been provided.

 

Compliances covered

Compliance Name Reference No. Link
PCI 1.2.1 https://docs.aws.amazon.com/quickstart/latest/compliance-pci/welcome.html
ISO 27001 A.9.1.2, A.13.1.3, A.13.2.1, A.13.2.3 https://www.iso.org/standard/54534.html
NIST NIST 800-53 (SC-2,SC-7,AC-4,AC-17) https://docs.aws.amazon.com/quickstart/latest/compliance-nist/welcome.html

 

Read More:

[1] https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

[2] https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurityGroups

Cloud

Cloud Management