I am trying to set an AWS Security Group egress rule which blocks all outbound traffic. It has been known that by default, security groups allow all outbound traffic.
I am using AWS CloudFormation and how should we define the appropriate security egress rule?
Security Groups always define ALLOW traffic. There is no concept of a DENY for security groups.
Therefore, if you wish to deny all traffic, simply have an empty Security Group.
However, please note that Security Groups are stateful. This means that, if the Inbound security group permits a connection (eg a request coming into a web server), the response will be automatically permitted to exit the server. Therefore, it is only truly blocked if both the inbound and outbound security groups are empty (depending upon your configuration).
Other options for blocking the server are a host-based firewall rule (that is, a configuration within the operating system) or the use of Network Access Control Lists (NACLs) that operate at the Subnet level. NACLs have DENY rules that can block traffic in/out of a Subnet (but not to a specific instance).
Update
It turns out that, if no Egress rules are supplied, then the default "Allow All" rule is applied to the security group.
Therefore, you need to supply a rule that does nothing, so that the default rule doesn't apply.
For example:
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "1",
"ToPort": "1",
"CidrIp": "0.0.0.0/32"
}
]
}
}