Ensure that Amazon App Mesh allows egress only from virtual nodes to other defined resources available within the service mesh (and any traffic to *.amazonaws.com for AWS API calls) in order to follow security best practices and meet compliance requirements.
Amazon App Mesh gives you controls to configure how traffic flows between your microservices. You can choose whether or not to allow App Mesh services to communicate with outside world. If you choose to allow external traffic, any traffic sent to external services is forwarded through the proxies as TCP traffic. If you choose to deny external traffic, the proxies will not forward traffic to external services that are not defined in the mesh. To adhere to cloud security best practices and minimize the security risks, the traffic to the external services should be denied.
To determine if your App Mesh service meshes are configured to allow external egress traffic, perform the following operations:
Remediation / Resolution
To disable external egress traffic for your Amazon App Mesh service meshes, perform the following operations:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Restrict External Traffic
Risk level: Medium