You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is really simple: EFS doesn't do egress (logically) so the "allow egress to 0.0.0.0/0" rule is redundant.
On top of that, we got a question during a compliance audit about the rule: we aren't supposed to be doing "open to 0.0.0.0/0" rules if we can avoid it (see references below)
Therefore I made a PR to just "make that an additional parameter that defaults to true so nobody has to change anything, but you can change it to false if your PCI auditor is upset.
We applied the PR in both test and production with no impact: everything continued working with no issue (which makes sense, as EFS does not do egress :) )
Hello @ezeroti (sorry for the delay but I went on vacation the day after you posted your comment)
I have made a public repo available with the change made: you could use that if you want (diff below) or you could make the same on your own (just fork this repo, apply the diff, and then refer to that from your terraform call)
Describe the Feature
TL;DR
Add a new flag to make allow-all-egress optional
Detail
This is really simple: EFS doesn't do egress (logically) so the "allow egress to 0.0.0.0/0" rule is redundant.
On top of that, we got a question during a compliance audit about the rule: we aren't supposed to be doing "open to 0.0.0.0/0" rules if we can avoid it (see references below)
Therefore I made a PR to just "make that an additional parameter that defaults to
true
so nobody has to change anything, but you can change it tofalse
if your PCI auditor is upset.References
Expected Behavior
Expected behavior for existing users who make no change: no impact, same result.
Expected behavior for those who set the
allow_all_egress
parameter tofalse
when they use this module: that one security group rule is not added.Use Case
The use case is for anyone trying to keep PCI auditors happy (open to 0.0.0.0/0 rules are frowned upon).
Describe Ideal Solution
PR: #126
Alternatives Considered
We tried maintaining our own security-group instead but this is MUCH cleaner and easier (and more shareable!)
Additional Context
No response
The text was updated successfully, but these errors were encountered: