I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.
However, this security group has all outbound traffic enabled for all traffic for all IP's.
Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?
Best Answer
Theoretically, yes. In practicality, there's almost certainly no significant risk, but anything allowed that isn't needed is arguably a "risk."
Nothing should be allowed, because your database doesn't need to initiate connections. Explanation follows.
Almost correct, but technically incorrect (or ambiguously stated).
The instances aren't using port 5432 on their side. That's the destination port. The source port on the instance side typically changes with each connection.
Security groups are stateful and their rules are only needed to allow the initiation of connections. Response traffic is automatically allowed, without configuration.
Inbound connections to the database have a destination port of 5432. The single inbound rule thus allows these connections to be established and the reply traffic to be returned.
The outbound "allow" rule in the database security group is not actually doing anything now.
The database doesn't initiate connections, so nothing outbound should need to be allowed. This even remains true even in the case of replication within RDS. The RDS machines clearly must connect to each other in such a configuration, but it turns out they have their own "hidden" network across which they can establish these connections, and it does not depend on your security group settings.