Skip to content

v1.1.0

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 05 Mar 16:34
· 12 commits to main since this release
9f7e8a3
Make allow_all_egress a variable @dlacosteGFM (#126)

What changes in this PR?

  • Default change is nothing (with this PR applied, nobody would have to change anything)
  • Makes a new parameter allow_all_egress which defaults to false
  • When creating the security group for the EFS volume, this line makes the security-group have an "allow egress to 0.0.0.0/0" rule entry. This PR makes that a configurable parameter instead

Why make this change?

  • EFS doesn't actually do egress, so this really makes no impact difference at all
  • ...but during a security audit we have a dangling "why do you allow egress to 0.0.0.0/0 on this?" question with no really good answer (so let's get rid of it as it doesn't do anything anyways)

References

  • PCI DSS 3.2.1 rule 1.1.7 - Requirement to review firewall and router rule sets every 6 months
  • PCI DSS 3.2.1 rule 1.2.1 - Restrict inbound and outbound traffic to that which is necessary for the environment