Json Yaml All Outbound Traffic Allowed
Description
Detects AWS Security Groups defined in CloudFormation templates that do not specify egress (outbound) rules. When egress rules are not defined, the security group defaults to allowing all outbound traffic (0.0.0.0/0), which violates the principle of least privilege and may expose resources to unnecessary security risks.
Detection Strategy
• Check if the resource type is 'AWS::EC2::SecurityGroup' in CloudFormation template
• Verify if the security group definition lacks explicit egress rules configuration
• Flag security groups that don't have any outbound traffic restrictions defined
Vulnerable code example
Resources:
mySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Vulnerable Security Group
SecurityGroupIngress: # Vulnerable: Using overly broad /16 CIDR range exposes to many IPs
- CidrIp: 192.168.0.0/16
FromPort: 22...✅ Secure code example
Resources:
mySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Secure Security Group
SecurityGroupIngress:
- CidrIp: 192.168.1.10/32 # Restrict SSH access to single admin IP
FromPort: 22...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.