WAF-SOV-090 – Controlled Egress & Data Exfiltration Guardrails

Pillar: Sovereign | Severity: 🟠 High | Category: Network Sovereignty | Automatable: High

Description

Outbound network traffic MUST be controlled by a default-deny or strict allow-list policy. Security groups must not permit unrestricted egress (0.0.0.0/0) without explicit justification. VPC Endpoints MUST be used to access cloud provider APIs to keep traffic on the sovereign network.

Data exfiltration detection MUST be established to alert on anomalous outbound data volumes or unexpected destinations.

Rationale

Unrestricted egress is the final valve for data that bypasses all other sovereignty controls. Even with region pinning, CMK encryption, and access controls, a compromised workload can copy entire databases to an external server if no egress control is in place.

VPC Endpoints prevent traffic from leaving the cloud provider backbone and traveling over the public internet. Exfiltration detection provides the detective control layer when preventive egress controls are insufficient or circumvented.

Threat Context

Risk	Description
Compromised application copies DB dumps	Unrestricted egress allows copying entire databases to external storage.
DNS tunneling by insider	Open outbound port used for data exfiltration via DNS tunneling.
Misconfigured data pipeline	Data pipeline routes PII to a non-sovereign external destination.
AWS API calls over the internet	Missing VPC endpoints expose traffic metadata over the public internet.
Open security group egress	Allows port scans and outbound connections to C2 servers.

Risk

Description

Compromised application copies DB dumps

Unrestricted egress allows copying entire databases to external storage.

DNS tunneling by insider

Open outbound port used for data exfiltration via DNS tunneling.

Misconfigured data pipeline

Data pipeline routes PII to a non-sovereign external destination.

AWS API calls over the internet

Missing VPC endpoints expose traffic metadata over the public internet.

Open security group egress

Allows port scans and outbound connections to C2 servers.

Regulatory Mapping

Framework	Controls
GDPR	Art. 32 – Security of processing (network security); Art. 44–46 – Transfers to third countries
BSI C5:2020	SIM-02 – Intrusion detection; OPS-04 – Data management; NET-01 – Network security
EUCS (ENISA)	IVS-09 – Network security; IVS-10 – Egress filtering
ISO 27001:2022	A.8.20 – Network security; A.8.21 – Security of network services; A.8.22 – Network segregation

Framework

Controls

GDPR

Art. 32 – Security of processing (network security); Art. 44–46 – Transfers to third countries

BSI C5:2020

SIM-02 – Intrusion detection; OPS-04 – Data management; NET-01 – Network security

EUCS (ENISA)

IVS-09 – Network security; IVS-10 – Egress filtering

ISO 27001:2022

A.8.20 – Network security; A.8.21 – Security of network services; A.8.22 – Network segregation

Requirement

Security groups MUST NOT allow 0.0.0.0/0 egress without documented justification
VPC Endpoints MUST be present for S3, DynamoDB, KMS, ECR, and other frequently used services
VPC Flow Logs MUST be enabled for all VPCs
Network ACLs SHOULD NOT have open egress rules on all ports
Azure NSGs MUST NOT allow unrestricted outbound traffic to * (any destination)
GuardDuty or an equivalent tool MUST be enabled for exfiltration detection
A documented allow-list of all approved external destinations MUST exist

Implementation Guidance

Security groups with explicit egress rules: No allow all (0.0.0.0/0) without documented justification.
Deploy VPC endpoints: S3, DynamoDB, KMS, ECR, STS, and other frequently used services via endpoints.
Network firewall: AWS Network Firewall, Azure Firewall, or GCP Cloud Armor for centralized egress inspection.
VPC Flow Logs: Enable for all VPCs; destination in approved region.
Enable GuardDuty: Detect anomalous data transfer patterns; custom threat intelligence.
Control DNS egress: All outbound DNS queries through an approved resolver.
Create external destination allow-list: Document all approved external targets with business justification.
Set up alerting: Alerts on new/unexpected destinations, large data volumes, non-standard ports.

Maturity Levels

Level	Name	Criteria
1	Standard security groups, open egress	Some network segmentation in place; no explicit egress policy.
2	Restricted egress, VPC endpoints deployed	Security groups restrict outbound ports; VPC endpoints for main cloud services; VPC Flow Logs enabled.
3	Default-deny egress with explicit allow-list	No security group allows 0.0.0.0/0 egress without justification; network firewall with domain allow-list; exfiltration detection in place.
4	Continuous egress monitoring and anomaly detection	GuardDuty or equivalent with custom threat intelligence; alerts on new outbound destinations within minutes; DNS egress inspection active.
5	Zero-trust network with full egress attestation	All outbound connections context-aware and policy-enforced; automated blocking of anomalous egress activity; egress compliance verified in deployment pipeline.

Level

Name

Criteria

Standard security groups, open egress

Some network segmentation in place; no explicit egress policy.

Restricted egress, VPC endpoints deployed

Security groups restrict outbound ports; VPC endpoints for main cloud services; VPC Flow Logs enabled.

Default-deny egress with explicit allow-list

No security group allows 0.0.0.0/0 egress without justification; network firewall with domain allow-list; exfiltration detection in place.

Continuous egress monitoring and anomaly detection

GuardDuty or equivalent with custom threat intelligence; alerts on new outbound destinations within minutes; DNS egress inspection active.

Zero-trust network with full egress attestation

All outbound connections context-aware and policy-enforced; automated blocking of anomalous egress activity; egress compliance verified in deployment pipeline.

Terraform Checks

waf-sov-090.tf.aws.no-unrestricted-egress

Checks: Security groups must not have unrestricted egress to 0.0.0.0/0 or ::/0.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_security_group" "app" { name = "app-sg" vpc_id = aws_vpc.main.id egress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] # Internal only } # Internet outbound requires Network Firewall }`	`resource "aws_security_group" "app" { name = "app-sg" vpc_id = aws_vpc.main.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] # ❌ Unrestricted outbound access } }`

resource "aws_security_group" "app" {
  name   = "app-sg"
  vpc_id = aws_vpc.main.id

  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]  # Internal only
  }
  # Internet outbound requires Network Firewall
}

resource "aws_security_group" "app" {
  name   = "app-sg"
  vpc_id = aws_vpc.main.id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
    # ❌ Unrestricted outbound access
  }
}

waf-sov-090.tf.aws.vpc-endpoint-s3

Checks: Every aws_vpc must have a gateway endpoint for S3.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_vpc_endpoint" "s3" { vpc_id = aws_vpc.main.id service_name = "com.amazonaws.${var.aws_region}.s3" vpc_endpoint_type = "Gateway" route_table_ids = [aws_route_table.private.id] policy = data.aws_iam_policy_document.s3_endpoint_policy.json }`	`resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" # ❌ No S3 VPC Endpoint – # S3 traffic over public internet }`

resource "aws_vpc_endpoint" "s3" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.${var.aws_region}.s3"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = [aws_route_table.private.id]
  policy = data.aws_iam_policy_document.s3_endpoint_policy.json
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  # ❌ No S3 VPC Endpoint –
  #    S3 traffic over public internet
}

waf-sov-090.tf.aws.vpc-flow-logs-enabled

Checks: Every aws_vpc must have VPC Flow Logs enabled.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_flow_log" "main" { vpc_id = aws_vpc.main.id traffic_type = "ALL" log_destination_type = "cloud-watch-logs" log_destination = aws_cloudwatch_log_group.flow.arn iam_role_arn = aws_iam_role.flow_log.arn }`	`resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" # ❌ No flow log – # no network audit for forensics }`

resource "aws_flow_log" "main" {
  vpc_id               = aws_vpc.main.id
  traffic_type         = "ALL"
  log_destination_type = "cloud-watch-logs"
  log_destination      = aws_cloudwatch_log_group.flow.arn
  iam_role_arn         = aws_iam_role.flow_log.arn
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  # ❌ No flow log –
  #    no network audit for forensics
}

waf-sov-090.tf.azurerm.nsg-no-open-outbound

Checks: Azure NSG must not allow unrestricted outbound traffic to * (any destination).

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "azurerm_network_security_rule" "outbound_https" { name = "allow-outbound-https" direction = "Outbound" access = "Allow" protocol = "Tcp" destination_port_range = "443" destination_address_prefix = "10.0.0.0/8" # ✅ Specific destination # ... }`	`resource "azurerm_network_security_rule" "all_outbound" { name = "allow-all-outbound" direction = "Outbound" access = "Allow" protocol = "" destination_port_range = "" destination_address_prefix = "*" # ❌ Any destination # ... }`

resource "azurerm_network_security_rule" "outbound_https" {
  name                        = "allow-outbound-https"
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  destination_port_range      = "443"
  destination_address_prefix  = "10.0.0.0/8"  # ✅ Specific destination
  # ...
}

resource "azurerm_network_security_rule" "all_outbound" {
  name                        = "allow-all-outbound"
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  destination_port_range      = "*"
  destination_address_prefix  = "*"  # ❌ Any destination
  # ...
}

Evidence

Type	Required	Description
IaC	✅ Required	Security group rules with egress restrictions; VPC endpoint resources for cloud services.
IaC	✅ Required	VPC Flow Log resources enabled for all VPCs.
Config	Optional	Network Firewall / Azure Firewall domain allow-list export.
Logs	Optional	Sample flow log or firewall log with blocked egress attempts.
Process	Optional	Documented allow-list of all approved external destinations with business justification.

Type

Required

Description

IaC

✅ Required

Security group rules with egress restrictions; VPC endpoint resources for cloud services.

IaC

✅ Required

VPC Flow Log resources enabled for all VPCs.

Config

Optional

Network Firewall / Azure Firewall domain allow-list export.

Logs

Optional

Sample flow log or firewall log with blocked egress attempts.

Process

Optional

Documented allow-list of all approved external destinations with business justification.

Related Controls

Best Practice

Implement Egress Control →