Egress filtering: you need it!
Security in IT utilises the concept of “assume that you have been breached”. This means that applications and their related infrastructure should be setup in such a way that the impact of a real breach is minimised by making life difficult once an attacker has broken through the defences. Earlier, enablement of infrastructure had months of lead time and upfront investments. Nowadays it’s very easy to build that same infrastructure in the cloud in hours. This flexibility comes with a price: developers with potentially little network or security knowledge are also put in charge of building and managing cloud environments. AWS has defined the Well Architected Framework as a good start. One thing is clear: to really be in control developers also need to know what network connections their applications are making to other applications.
Egress filtering
This is where the so-called egress filtering comes into place. Not allowing open egress is an important component of security controls. Until now dedicated network engineers and security professionals were securing in-house (on premise) networks and infrastructures. They know very well that a firewall is not a firewall if it has allow any any rules — on any interface. In essence it’s really simple: do not simply allow anything to go out onto the internet without being aware of it and inspect and filter your traffic at each layer.
Cloud and Terraform Registry
For many of the less security and networking-aware teams, determining the appropriate rules is a (big) challenge. The effort involved in manually creating mutual rules kills any incentive of it happening properly. Luckily if you’re using Terraform it doesn’t need to be like that as there is a module (Terraform Mutual Security Groups Rules Module) available available on the Terraform Registry for this: skwashd/mutual-security-groups/aws.
In essence in case of an unfortunate breach and proper filtering on outgoing traffic is applied, the problem becomes a lot less urgent, so apply it wisely!