0

Usually we set AWS security group outbound as ALL since we may need to download/upgrade sth. from internet. using any port, from any IPs.

One concern is what if sb. who login EC2 tries to upload company's important data to his personal cloud storage? If we can restrict AWS security group outbound, then this can be avoided.

I see some similar post about the concern on security group outbound setting. such as: AWS Security Group for RDS - Outbound rules, but all the response said it is fine to set outbound as ALL, or just restrict to a few ports. I still want to raise the question again. for example, how to resolve the above concern I have? and if we do not have solution, then is restricting port to 80/443 enough if we just want to upgrade/update OS and app, not anything else?

user389955
  • 9,605
  • 14
  • 56
  • 98
  • If they can login to the instance, then they can extract data (eg just printing it to the screen), even with ZERO outbound access. If you open 80/443, then they can access any service (eg Dropbox). You should either be very strict in your security (limiting login access), or just accept that a determined person could do as you say. – John Rotenstein Oct 12 '18 at 00:52
  • @John Rotenstein: Make sense.If even an AWS expert like you think it is ok to set outbound that way, then it should be fine. Thanks. – user389955 Oct 15 '18 at 17:54

0 Answers0