Make allow_all_egress a variable @dlacosteGFM (#126)
What changes in this PR?
- Default change is nothing (with this PR applied, nobody would have to change anything)
- Makes a new parameter
allow_all_egresswhich defaults tofalse - When creating the security group for the EFS volume, this line makes the security-group have an "allow egress to 0.0.0.0/0" rule entry. This PR makes that a configurable parameter instead
Why make this change?
- EFS doesn't actually do egress, so this really makes no impact difference at all
- ...but during a security audit we have a dangling "why do you allow egress to 0.0.0.0/0 on this?" question with no really good answer (so let's get rid of it as it doesn't do anything anyways)
References
- PCI DSS 3.2.1 rule 1.1.7 - Requirement to review firewall and router rule sets every 6 months
- PCI DSS 3.2.1 rule 1.2.1 - Restrict inbound and outbound traffic to that which is necessary for the environment