Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history 
Co-authored-by: Jamie Anderson <[email protected]>
  • Loading branch information
@pierre-loup-tristant-sonarsource @jamie-anderson-sonarsource
pierre-loup-tristant-sonarsource and jamie-anderson-sonarsource authored Nov 26, 2024
1 parent 218001a commit 2e7aa07
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions rules/S6463/python/rule.adoc
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Allowing unrestricted outbound communications can lead to data leaks.

When security group allow all outbound communications application or service within the security group can send data to any external IP address or port without restriction. If an resource within the security group becomes compromise attackers would be able to then send malicious traffic or exfiltrate data to external servers. This could happend even if the resource is not directly exposed to the internet, in case of a supply chain attack for example.
When a security group allows all outbound communications, applications or services within the security group can send data to any external IP address or port without restriction. If a resource within the security group becomes compromised, attackers could send malicious traffic or exfiltrate data to external servers. This could happen even if the resource is not directly exposed to the internet, such as in case of a supply chain attack.

When deciding if outgoing connections should be limited, consider that limiting
the connections results in additional administration and maintenance work.
Expand All @@ -16,8 +16,9 @@ There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

The principle of defence-in-depth and least privilege suggest that outbound connections should be restricted to a set of trusted destinations.
Therefore, for each security group, consider whether allowing all outbound connections is necessary. If not, disable it and add specific egress rules for the required outbound connections.
The principles of defence-in-depth and least privilege suggest that outbound connections should be restricted to a set of trusted destinations.

Consider restricting the security group egress rules so that it can only contact specific locations, such as trusted IP address ranges or other security groups. If any resources require unrestricted outbound access, place them in their own security group.

== Sensitive Code Example

Expand Down

0 comments on commit 2e7aa07

Please sign in to comment.