1

I've got a web app (App 1) and am setting up an API endpoint. I will send a request to that endpoint from App 2. App 1 and App 2 are in the same VPC.

I'd like for App 1 to allow NO outbound traffic except for an API response to App 2.

So let's say this is the code for the App 1 endpoint

def api(request):
  val = request.POST['value'] * 2
  send_email('Subject', 'Message', 'to@example.com', 'from@example.com')
  return val

My security group would allow the val to be returned to App 2, but would block the email being sent as it would be data escaping the app.

I may have seen that the answer might be NO security groups for the allowed outbound. That prevents all outbound traffic, EXCEPT for already prescreened inbound connects since the apps will respond.

bones225
  • 133
  • 4
  • 1
    Please don't comment on your question, instead edit the question to include the information from your comment. – Tim Sep 11 '19 at 03:34

1 Answers1

2

Since security groups are stateful you can deny all outgoing traffic for app1, and allow incoming only from the IP of app2 making the request. This will block all traffic initiated by the server running app1, but will allow replies to requests that are allowed in from app2.

Tim
  • 31,888
  • 7
  • 52
  • 78