AWS Security Group for RDS - Outbound rules

4
votes

I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

However, this security group has all outbound traffic enabled for all traffic for all IP's.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

3
amazon-web-servicesamazon-ec2aws-rdsaws-security-group
Outbound means that the machine w/ that SG can connect to any outside machine on specifically allowed port. So, it should be permissive.hjpotter92
@hjpotter92 but it doesn't need to communicate to anything other than our ec2 instance. So should I be changing the current outbound rule which permits traffic to anywhere?Manoj M J
@ManojMJ ec2 instances occasionally need to be patched and/or access other repositories outside of your local network. if you don't feel good about allowing access to anything, anywhere, just allow outbound HTTP (port 80) and HTTPS (port 443). i've been using that configuration successfully for years.matias elgart

3 Answers

7
votes

What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It is a good idea to have a clear control over outbound connections as well.

In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).

Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.

2
votes

By default, all Amazon EC2 security groups:

  • Deny all inbound traffic
  • Allow all outbound traffic

You must configure the security group to permit inbound traffic. Such configuration should be limited to the minimal possible scope. That is, the fewest protocols necessary and smallest IP address ranges necessary.

Outbound access, however, is traditionally kept open. The reason for this is that you would normally "trust" your own systems. If they wish to access external resources, let them do so.

You are always welcome to restrict Outbound access, especially for sensitive systems. However, determining which ports to keep open may be a challenge. For example, instances may want to download Operating System updates, access Amazon S3 or send emails.

1
votes

When using Security Goups (as opposed to ACL rules) all inbound traffic is automatically allowed in outbound traffic so outbound rules may be empty in your case.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It's a risk only if you RDS is in a public subnet inside your VPC.

Best practices recommend in your scenario to have a public subnet within your web server and a private subnet for all private resources (RDS, other private services, etc).

enter image description here

As you can see in the image, hosting your RDS inside a private subnet there is no way to access it from outside your VPC