Skip to content

AuthorizeSecurityGroupEgress

AWS

AuthorizeSecurityGroupEgress

service: AWS - EC2
techniques:

Event

Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.

Security Context

  • Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
  • Exfiltration through cloud services allows adversaries to extract data using legitimate APIs that may not trigger network-based alerts.

Log Source

CloudTrail

Sample Event

Adversarial. Draco modifies the egress rules on the OCCAMY pipeline security group (sg-0occamy00000010, persona doc) to permit outbound HTTPS (port 443) to any IPv4 address. The pre-existing egress was restricted to AWS service endpoint CIDRs. With unrestricted egress, the next stage of the attack — exfil from instances inside that SG to attacker-controlled HTTPS infrastructure — bypasses NACL-level controls. Stratus Red Team and Splunk treat this exact event-with-0.0.0.0/0-CIDR pattern as one of the sharpest exfiltration prep indicators.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:14:08Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupEgress",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"groupId": "sg-0occamy00000010",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 443,
"toPort": 443,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
},
"responseElements": {
"requestId": "90000000-0000-4000-8000-000001111000",
"_return": true,
"securityGroupRuleSet": {
"items": [
{
"securityGroupRuleId": "sgr-0666exfil666666666",
"groupOwnerId": "555123456789",
"groupId": "sg-0occamy00000010",
"isEgress": true,
"ipProtocol": "tcp",
"fromPort": 443,
"toPort": 443,
"cidrIpv4": "0.0.0.0/0"
}
]
}
},
"requestID": "90000000-0000-4000-8000-000001111000",
"eventID": "90000000-0000-4000-8000-000001111001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Exfiltration

Techniques:
  • T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
  • T1048 — Exfiltration Over Alternative Protocol — Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.