class Terracop::Cop::Aws::UnrestrictedEgressPorts

This cop warns against egress security group rules that allow any port. This would, for example, allow an attacker to use your machine to send spam emails, since you left port 25 outbound open.

@example

# bad
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  from_port   = 0
  to_port     = 65535
}

# good
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  from_port   = 443
  to_port     = 443
}

Public Instance Methods

check() click to toggle source
# File lib/terracop/cop/aws/unrestricted_egress_ports.rb, line 29
def check
  return unless egress? && (tcp? || udp?) && any_port?

  offense('Limit egress traffic to small port ranges.', :security)
end