Detection rules › Panther
AWS Security Group Restricts Outbound Traffic
This policy validates that Security Groups have some restrictions on outbound traffic.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1567 Exfiltration Over Web Service |
Rule body yaml
AnalysisType: policy
Filename: aws_security_group_restricts_outbound_traffic.py
PolicyID: "AWS.SecurityGroup.RestrictsOutboundTraffic"
DisplayName: "AWS Security Group Restricts Outbound Traffic"
Enabled: false
ResourceTypes:
- AWS.EC2.SecurityGroup
Tags:
- AWS
- PCI
- Exfiltration:Exfiltration Over Web Service
Reports:
PCI:
- 1.1.4
- 1.3.2
MITRE ATT&CK:
- TA0010:T1567
Severity: Low
Description: >
This policy validates that Security Groups have some restrictions on outbound traffic.
Runbook: >
Add appropriate restrictions to outbound traffic via IP permissions.
Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-sg.html
Tests:
- Name: Security Group Restricts Outbound Traffic
ExpectedResult: true
Resource:
{
"Description": "example VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-def123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "123456789012",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": 3306,
"IpProtocol": "-1",
"IpRanges": [{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": 3306,
"UserIdGroupPairs": null,
},
],
"OwnerId": "123456789012",
"Tags": { "environment": "pci" },
"VpcId": "vpc-abc111222333",
}
- Name: Security Group Does Not Restrict Outbound Traffic
ExpectedResult: false
Resource:
{
"Description": "example VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-def123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "123456789012",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": 0,
"IpProtocol": "-1",
"IpRanges": [{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": 65535,
"UserIdGroupPairs": null,
},
],
"OwnerId": "123456789012",
"Tags": { "environment": "pci" },
"VpcId": "vpc-abc111222333",
}
- Name: Security Group Does Not Restrict Outbound Traffic (None)
ExpectedResult: false
Resource:
{
"Description": "example VPC security group",
"GroupId": "sg-abc123",
"GroupName": "default",
"IpPermissions":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": null,
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs":
[
{
"Description": null,
"GroupId": "sg-def123",
"GroupName": null,
"PeeringStatus": null,
"UserId": "123456789012",
"VpcId": null,
"VpcPeeringConnectionId": null,
},
],
},
],
"IpPermissionsEgress":
[
{
"FromPort": null,
"IpProtocol": "-1",
"IpRanges": [{ "CidrIp": "0.0.0.0/0", "Description": null }],
"Ipv6Ranges": null,
"PrefixListIds": null,
"ToPort": null,
"UserIdGroupPairs": null,
},
],
"OwnerId": "123456789012",
"Tags": { "environment": "pci" },
"VpcId": "vpc-abc111222333",
}
Detection logic
Condition
IpPermissionsEgress not is_null
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
IpPermissionsEgress | is_null |