Detections
Analytics

Ensure egress filter is set as 'DROP_ALL' for AWS Application Mesh

MEDIUM

Description

The egress filter for AWS Application Mesh is set to 'DROP_ALL' by default. This setting can be changed, however by allowing egress traffic through the mesh, workloads will be open to communication with external sources. It is recommended to leave the default setting in place. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_EgressFilter.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and open AWS Application Mesh.
  2. In the navigation, under AWS App Mesh, select Meshes.
  3. Select the Mesh you want and select the Details tab to check the Egress filter configuration attribute value.
  4. Set the Egress filter to 'DROP_ALL'.

In Terraform -

  1. In the aws_appmesh_mesh resource, set the spec.egress_filter to DROP_ALL.

References:
https://docs.aws.amazon.com/app-mesh/latest/userguide/meshes.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appmesh_mesh

Policy Details

Rule Reference ID: AC_AWS_0017
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_appmesh_mesh
Resource Category: Virtual Network
Resource Type: Network Firewall

Frameworks