From f7f1a3be2a7ab5c6def3ce9ca499b48b37e8d57d Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Fri, 10 May 2024 11:57:43 -0700 Subject: [PATCH] Remove ssh-egress security group rule AWS Security Groups are stateful, meaning that any inbound traffic that is allowed will automatically permit the return outbound traffic, regardless of outbound rules. When you establish an SSH connection, you're initiating an inbound connection to the server. The server's response to your connection, as well as any subsequent communication, is considered outbound traffic from the perspective of the security group. Because of the stateful nature of AWS Security Groups, once you've allowed inbound SSH traffic, the return traffic (outbound from the server) is automatically allowed, even if your outbound rules don't explicitly permit it. Therefore, an outbound rule that allows traffic on all ports is not necessary for the operation of inbound SSH. This might break environments for people who are accidentally relying on the wide security group rules for non-ssh outbound access. However it will allow others to be more secure and tighten down their security posture. --- security-group.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security-group.tf b/security-group.tf index e0c3ed9..0fb763a 100644 --- a/security-group.tf +++ b/security-group.tf @@ -27,14 +27,6 @@ module "ssh_access" { from_port = 22 to_port = 22 description = "Allow SSH ingress" - }, - { - key = "ssh-egress" - type = "egress" - from_port = 0 - to_port = 65535 - protocol = "tcp" - description = "Allow SSH egress" }] }]