WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-090 – Controlled Egress & Data Exfiltration Guardrails

Pillar: Sovereign | Severity: 🟠 High | Category: Network Sovereignty | Automatable: High

Description

Outbound network traffic MUST be controlled by a default-deny or strict allow-list policy. Security groups must not permit unrestricted egress (0.0.0.0/0) without explicit justification. VPC Endpoints MUST be used to access cloud provider APIs to keep traffic on the sovereign network.

Data exfiltration detection MUST be established to alert on anomalous outbound data volumes or unexpected destinations.

Rationale

Unrestricted egress is the final valve for data that bypasses all other sovereignty controls. Even with region pinning, CMK encryption, and access controls, a compromised workload can copy entire databases to an external server if no egress control is in place.

VPC Endpoints prevent traffic from leaving the cloud provider backbone and traveling over the public internet. Exfiltration detection provides the detective control layer when preventive egress controls are insufficient or circumvented.

Threat Context

Risk Description

Compromised application copies DB dumps

Unrestricted egress allows copying entire databases to external storage.

DNS tunneling by insider

Open outbound port used for data exfiltration via DNS tunneling.

Misconfigured data pipeline

Data pipeline routes PII to a non-sovereign external destination.

AWS API calls over the internet

Missing VPC endpoints expose traffic metadata over the public internet.

Open security group egress

Allows port scans and outbound connections to C2 servers.

Regulatory Mapping

Framework Controls

GDPR

Art. 32 – Security of processing (network security); Art. 44–46 – Transfers to third countries

BSI C5:2020

SIM-02 – Intrusion detection; OPS-04 – Data management; NET-01 – Network security

EUCS (ENISA)

IVS-09 – Network security; IVS-10 – Egress filtering

ISO 27001:2022

A.8.20 – Network security; A.8.21 – Security of network services; A.8.22 – Network segregation

BSI C3A:2026

Dimension 5 – Operational: Network security and monitoring; Dimension 5 – Operational: Disconnect and reconnect capability

Requirement

  • Security groups MUST NOT allow 0.0.0.0/0 egress without documented justification

  • VPC Endpoints MUST be present for S3, DynamoDB, KMS, ECR, and other frequently used services

  • VPC Flow Logs MUST be enabled for all VPCs

  • Network ACLs SHOULD NOT have open egress rules on all ports

  • Azure NSGs MUST NOT allow unrestricted outbound traffic to * (any destination)

  • GuardDuty or an equivalent tool MUST be enabled for exfiltration detection

  • A documented allow-list of all approved external destinations MUST exist

Implementation Guidance

  1. Security groups with explicit egress rules: No allow all (0.0.0.0/0) without documented justification.

  2. Deploy VPC endpoints: S3, DynamoDB, KMS, ECR, STS, and other frequently used services via endpoints.

  3. Network firewall: AWS Network Firewall, Azure Firewall, or GCP Cloud Armor for centralized egress inspection.

  4. VPC Flow Logs: Enable for all VPCs; destination in approved region.

  5. Enable GuardDuty: Detect anomalous data transfer patterns; custom threat intelligence.

  6. Control DNS egress: All outbound DNS queries through an approved resolver.

  7. Create external destination allow-list: Document all approved external targets with business justification.

  8. Set up alerting: Alerts on new/unexpected destinations, large data volumes, non-standard ports.

Maturity Levels

Level Name Criteria

1

Standard security groups, open egress

Some network segmentation in place; no explicit egress policy.

2

Restricted egress, VPC endpoints deployed

Security groups restrict outbound ports; VPC endpoints for main cloud services; VPC Flow Logs enabled.

3

Default-deny egress with explicit allow-list

No security group allows 0.0.0.0/0 egress without justification; network firewall with domain allow-list; exfiltration detection in place.

4

Continuous egress monitoring and anomaly detection

GuardDuty or equivalent with custom threat intelligence; alerts on new outbound destinations within minutes; DNS egress inspection active.

5

Zero-trust network with full egress attestation

All outbound connections context-aware and policy-enforced; automated blocking of anomalous egress activity; egress compliance verified in deployment pipeline.

Terraform Checks

waf-sov-090.tf.aws.no-unrestricted-egress

Checks: Security groups must not have unrestricted egress to 0.0.0.0/0 or ::/0.

Compliant Non-Compliant 
resource "aws_security_group" "app" {
  name   = "app-sg"
  vpc_id = aws_vpc.main.id

  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]  # Internal only
  }
  # Internet outbound requires Network Firewall
}
 
resource "aws_security_group" "app" {
  name   = "app-sg"
  vpc_id = aws_vpc.main.id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
    # ❌ Unrestricted outbound access
  }
}

waf-sov-090.tf.aws.vpc-endpoint-s3

Checks: Every aws_vpc must have a gateway endpoint for S3.

Compliant Non-Compliant 
resource "aws_vpc_endpoint" "s3" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.${var.aws_region}.s3"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = [aws_route_table.private.id]
  policy = data.aws_iam_policy_document.s3_endpoint_policy.json
}
 
resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  # ❌ No S3 VPC Endpoint –
  #    S3 traffic over public internet
}

waf-sov-090.tf.aws.vpc-flow-logs-enabled

Checks: Every aws_vpc must have VPC Flow Logs enabled.

Compliant Non-Compliant 
resource "aws_flow_log" "main" {
  vpc_id               = aws_vpc.main.id
  traffic_type         = "ALL"
  log_destination_type = "cloud-watch-logs"
  log_destination      = aws_cloudwatch_log_group.flow.arn
  iam_role_arn         = aws_iam_role.flow_log.arn
}
 
resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  # ❌ No flow log –
  #    no network audit for forensics
}

waf-sov-090.tf.azurerm.nsg-no-open-outbound

Checks: Azure NSG must not allow unrestricted outbound traffic to * (any destination).

Compliant Non-Compliant 
resource "azurerm_network_security_rule" "outbound_https" {
  name                        = "allow-outbound-https"
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  destination_port_range      = "443"
  destination_address_prefix  = "10.0.0.0/8"  # ✅ Specific destination
  # ...
}
 
resource "azurerm_network_security_rule" "all_outbound" {
  name                        = "allow-all-outbound"
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  destination_port_range      = "*"
  destination_address_prefix  = "*"  # ❌ Any destination
  # ...
}

waf-sov-090.tf.stackit.network-no-unrestricted-egress

Checks: StackIT networks must not allow unrestricted egress.

Supported providers: StackIT, OVH, Hetzner Cloud

waf-sov-090.tf.ovh.network-no-unrestricted-egress

Checks: OVH networks must not allow unrestricted egress.

waf-sov-090.tf.hcloud.network-no-unrestricted-egress

Checks: Hetzner Cloud networks must not allow unrestricted egress.

Evidence

Type Required Description

IaC

✅ Required

Security group rules with egress restrictions; VPC endpoint resources for cloud services.

IaC

✅ Required

VPC Flow Log resources enabled for all VPCs.

Config

Optional

Network Firewall / Azure Firewall domain allow-list export.

Logs

Optional

Sample flow log or firewall log with blocked egress attempts.

Process

Optional

Documented allow-list of all approved external destinations with business justification.

Related Controls

Regulatorisches Mapping

Framework Controls

DSGVO

Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung

BSI C5:2020

OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement

EUCS (ENISA)

DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff

ISO 27001:2022

A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen

ISO 27017

CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services

ISO 27018

A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII

BSI C3A:2026

Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen

GAIA-X

Sovereign Cloud – Anforderungen an Datenlokation und Transparenz

NIST SP 800-53

SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality

NIST CSF 2.0

GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management

FedRAMP

SC-1, SC-7, SC-8 (High baseline)

TISAX

Information security – Data protection; Prototype protection – Sensitive data handling

ANSSI SecNumCloud

Domain – Data protection; Domain – Cloud security

BIO

BIO – Gegevensbescherming; BIO – Cloudbeveiliging

ENS High

ds.info.1 – Datos personales; ds.info.2 – Calificación de la información

UK NCSC CAF

B3 – Understanding data; B4 – System security

CMMC 2.0

SC.L2-3.13.16 – Protect CUI confidentiality at rest

IRAP

ISM – Data protection; ISM – Cloud security

CCCS PBMM

SC-7 – Boundary protection; SC-8 – Transmission confidentiality

MAS TRM

Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls

ISMAP

Data sovereignty and cloud security

FISC

Technical measures – Data protection

Best Practice