I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.
However, this security group has all outbound traffic enabled for all traffic for all IP's.
Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?
By default, all Amazon EC2 security groups:
You must configure the security group to permit inbound traffic. Such configuration should be limited to the minimal possible scope. That is, the fewest protocols necessary and smallest IP address ranges necessary.
Outbound access, however, is traditionally kept open. The reason for this is that you would normally "trust" your own systems. If they wish to access external resources, let them do so.
You are always welcome to restrict Outbound access, especially for sensitive systems. However, determining which ports to keep open may be a challenge. For example, instances may want to download Operating System updates, access Amazon S3 or send emails.
What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?
It is a good idea to have a clear control over outbound connections as well.
In your RDS group: delete all outbound rules (by default, there is rule that allows outbound connections to all ports and IP's -> just delete this "all-anywhere" rule).
Your DB will receive inbound requests through port 5432 from your EC2 instance, and RDS will respond back to your EC2 instance through the very same connection, no outbound rules need to be defined in this case at all.
When using Security Goups (as opposed to ACL rules) all inbound traffic is automatically allowed in outbound traffic so outbound rules may be empty in your case.
Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?
It's a risk only if you RDS is in a public subnet inside your VPC.
Best practices recommend in your scenario to have a public subnet within your web server and a private subnet for all private resources (RDS, other private services, etc).
As you can see in the image, hosting your RDS inside a private subnet there is no way to access it from outside your VPC
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/A8Wny.png', '推荐 爷的心禁止访问 的文章《AWS Security Group for RDS - Outbound rules》','https://www.manongdao.com/article-507946.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}