CoursesAWS security engineeringNetwork security & segmentation

Egress control & Network Firewall

Domain allowlists, DNS Firewall, exfiltration defense.

Advanced35 min · lesson 11 of 15

Almost everyone filters inbound and leaves outbound wide open — yet exfiltration and command-and-control both leave through egress. A compromised workload with unrestricted outbound streams your data anywhere and pulls down the next attack stage. Controlling what can leave, and logging the rest, turns a silent breach into a blocked, alerting event.

Constrain and inspect outbound

For most workloads the legitimate egress list is short and stable, which makes an allowlist practical. AWS Network Firewall adds stateful L3–L7 inspection, domain allowlists, and Suricata-style IPS rules at the VPC edge — capabilities security groups and NACLs lack. Route 53 Resolver DNS Firewall blocks resolution of known-malicious or unapproved domains and logs every lookup, cutting off C2 and exfil channels and giving you a high-value hunting record.

a domain allowlist at the VPC edge
# AWS Network Firewall stateful rule group: allow egress only to approved
# domains, drop everything else (and log the drops).
{
"RulesSource": { "RulesString":
"pass tls any any -> any any (tls.sni; content:\".amazonaws.com\"; endswith; sid:1;)\n" +
"pass tls any any -> any any (tls.sni; content:\".github.com\"; endswith; sid:2;)\n" +
"drop tls any any -> any any (msg:\"unapproved egress\"; sid:99;)" }
}
# Workloads have no direct 0.0.0.0/0 route; the firewall endpoint is the only path out.

Record everything

Layer detection under the controls: VPC flow logs record who talked to what for after-the-fact reconstruction, and DNS query logs expose tunnelling (long, high-entropy subdomains; abnormal query volume to one domain) that is how data leaves networks blocking ordinary egress. Each layer is cheap alone and compounding together — the firewall blocks, DNS filtering catches names, flow logs let you reconstruct intent.

Layered egress controls
restrict the path
no default route out
private subnets
Network Firewall allowlist
approved domains only
inspect + record
DNS Firewall
block known-bad, log lookups
VPC flow logs
reconstruct after the fact
Unrestricted egress is free C2 and exfiltration. Default-deny outbound is one of the highest-leverage and most commonly missing controls.
Open egress is a ready-made C2 channel
If a compromised instance can open arbitrary outbound connections, the attacker already has exfiltration and command-and-control with no further privilege needed. Default-deny egress with an allowlist closes that channel — prioritize it.