Please help
We blocked all the outgoing traffic by removing 0.0.0.0/0 and added only our VPC so as our application connects to the EC2
Now the problem is EC2 is not able to communicate with any of AWS Services itself; we are not able to use SSM, update our RPM, etc. ..
we added few of the IP range based on the errors we faced; which we fear not the correct way of blocking the outbound connections
Thank you, appreciate your support in advance
You should actually take a look at using VPC endpoints where possible within your VPC.
If you configure these outbound communication will be via the subnet ranges that the interface endpoints are located in with the exception of S3 and DynamoDB.
If you use either of these services, in the outbound of the security group you can whitelist the source of the prefix list for these services.
By doing this its easier to manage (AWS IP ranges change all the time), and is more secure as the egress stays within the AWS network never connecting to the service endpoints via the public internet.
If this approach is not for you, you would need to subscribe to ip-range changes which would trigger a Lambda function. This Lambda function would access the ip-ranges.json file and retrieve all ranges valid for your application. These IP ranges would then be added to a customer managed prefix list that you define.
The prefix list would be added as an outbound destination allowing port 443 (HTTPS) outbound access, of course this method would require you to build the Lambda function.
