class Terracop::Cop::Aws::OpenEgress

This cop warns against an egress rule to 0.0.0.0/0. While very common, and not necessarily an offense, you may want to lock the outbound traffic to some specific addresses (or even other security groups), especially in highly regulated environments.

@example

# bad
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["0.0.0.0/0"]
}

# good
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["10.4.0.0/16"]
}

# better
resource "aws_security_group_rule" "egress" {
  type              = "egress"
  security_group_id = aws_security_group.destination.id
}

Public Instance Methods

check() click to toggle source
# File lib/terracop/cop/aws/open_egress.rb, line 34
def check
  return unless egress? && any_ip?

  offense('Avoid allowing egress traffic to 0.0.0.0/0.', :security)
end