AWS Cloudformation: Security Group Rule to allow all egress

Question

I am using the following egress rule in a security group definition of a cloudformation template

  SecurityGroupEgress:
  - IpProtocol: tcp
    FromPort: 0
    ToPort: 65535
    CidrIp: 0.0.0.0/0

However this does not end up in a rule that allow all outbound traffic;

What is the proper way to define an allow-all-outbound rule?

Already answered in this thread, https://stackoverflow.com/questions/39021545/how-to-specify-all-ports-in-security-group-cloudformation — AYA, Aug 30 '18 at 17:52
@AYA - I would like to see a new answer for this question. The other answer is not entirely correct today. — John Hanley, Aug 30 '18 at 19:01

score 16 · Answer 1 · answered Jan 25 '21 at 22:16

This is an old thread, but people still find it in searches... True, there are times the default doesn't work well, such as when using cfn_nag_scan to scan the cft.

Here is what you are looking for:

  SecurityGroupEgress:
    - Description: Allow all outbound traffic
      IpProtocol: "-1"
      CidrIp: 0.0.0.0/0

score 4 · Answer 2 · answered Aug 30 '18 at 19:44

I must add this info from the AWS documentation, as defining such a policy might not be necessary,

"When you create a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. "

here's the link, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#w2ab1c21c10d473c17

Typically, you define some specific port/protocol.

AWS Cloudformation: Security Group Rule to allow all egress

2 Answers2