AuthorizeSecurityGroupEgress
AWS
AuthorizeSecurityGroupEgress
Event
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
Security Context
- Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
- Exfiltration through cloud services allows adversaries to extract data using legitimate APIs that may not trigger network-based alerts.
Log Source
CloudTrail
Sample Event
Adversarial. Draco modifies the egress rules on the OCCAMY pipeline security group (sg-0occamy00000010, persona doc) to permit outbound HTTPS (port 443) to any IPv4 address. The pre-existing egress was restricted to AWS service endpoint CIDRs. With unrestricted egress, the next stage of the attack — exfil from instances inside that SG to attacker-controlled HTTPS infrastructure — bypasses NACL-level controls. Stratus Red Team and Splunk treat this exact event-with-0.0.0.0/0-CIDR pattern as one of the sharpest exfiltration prep indicators.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:14:08Z", "eventSource": "ec2.amazonaws.com", "eventName": "AuthorizeSecurityGroupEgress", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "groupId": "sg-0occamy00000010", "ipPermissions": { "items": [ { "ipProtocol": "tcp", "fromPort": 443, "toPort": 443, "groups": {}, "ipRanges": { "items": [ { "cidrIp": "0.0.0.0/0" } ] }, "ipv6Ranges": {}, "prefixListIds": {} } ] } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000001111000", "_return": true, "securityGroupRuleSet": { "items": [ { "securityGroupRuleId": "sgr-0666exfil666666666", "groupOwnerId": "555123456789", "groupId": "sg-0occamy00000010", "isEgress": true, "ipProtocol": "tcp", "fromPort": 443, "toPort": 443, "cidrIpv4": "0.0.0.0/0" } ] } }, "requestID": "90000000-0000-4000-8000-000001111000", "eventID": "90000000-0000-4000-8000-000001111001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Exfiltration
Techniques:
- T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
- T1048 — Exfiltration Over Alternative Protocol — Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.