https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/for-outbound-rules-for-instances-that-need-access-to-external/m-p/531168#M897 <P>We use the cloud service AWS.</P> <P>&nbsp;</P> <P>The following issue has been detected in Prisma Cloud.</P> <P>&nbsp;</P> <P>&gt; This policy detects security groups where network 0.0.0.0/0 and ::0/0 are used. This policy detects security groups where network 0.0.0.0/0 and ::0/0 are used.<BR />&gt; Select "outbound rules" and click "edit outbound rules"<BR />&gt; Locate rules containing 0.0.0.0/0 or ::/0 and delete them by selecting "x" icon</P> <P>&nbsp;</P> <P>The ECS assigned to this security group must have access to the Twitter API.</P> <P>&nbsp;</P> <P>The problem is that the IP of the Twitter API can change.</P> <P>If the IP of the Twitter API is assigned to a security group outbound, it will be inaccessible when the IP changes.</P> <P>&nbsp;</P> <P>We have come up with the following solution to this problem.</P> <P>&nbsp;</P> <P>If ECS tries to access the Twitter API and cannot<BR />The DNS server is queried for the Twitter IP and the outbound security group is updated.</P> <P>However, this method may not be updated in time and may cause errors in high traffic situations.</P> <P>&nbsp;</P> <P>Is there another better solution ?</P> <P>&nbsp;</P> <P>How do you all respond to such alerts ?</P> Wed, 15 Feb 2023 02:07:19 GMT iwata2023 2023-02-15T02:07:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/for-outbound-rules-for-instances-that-need-access-to-external/m-p/531168#M897 <P>We use the cloud service AWS.</P> <P>&nbsp;</P> <P>The following issue has been detected in Prisma Cloud.</P> <P>&nbsp;</P> <P>&gt; This policy detects security groups where network 0.0.0.0/0 and ::0/0 are used. This policy detects security groups where network 0.0.0.0/0 and ::0/0 are used.<BR />&gt; Select "outbound rules" and click "edit outbound rules"<BR />&gt; Locate rules containing 0.0.0.0/0 or ::/0 and delete them by selecting "x" icon</P> <P>&nbsp;</P> <P>The ECS assigned to this security group must have access to the Twitter API.</P> <P>&nbsp;</P> <P>The problem is that the IP of the Twitter API can change.</P> <P>If the IP of the Twitter API is assigned to a security group outbound, it will be inaccessible when the IP changes.</P> <P>&nbsp;</P> <P>We have come up with the following solution to this problem.</P> <P>&nbsp;</P> <P>If ECS tries to access the Twitter API and cannot<BR />The DNS server is queried for the Twitter IP and the outbound security group is updated.</P> <P>However, this method may not be updated in time and may cause errors in high traffic situations.</P> <P>&nbsp;</P> <P>Is there another better solution ?</P> <P>&nbsp;</P> <P>How do you all respond to such alerts ?</P> Wed, 15 Feb 2023 02:07:19 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/for-outbound-rules-for-instances-that-need-access-to-external/m-p/531168#M897 iwata2023 2023-02-15T02:07:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/for-outbound-rules-for-instances-that-need-access-to-external/m-p/532001#M898 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/273876">@iwata2023</a>&nbsp;</P> <P><STRONG>Given</STRONG> twitter's API endpoint IPs are changing and that twitter is assigned a class A, B or C address range,</P> <P><STRONG>Then</STRONG> why don't you use CIDR notation for the AWS Scecrity Group's outbound rule?</P> <P>See&nbsp;<A href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing" target="_blank" rel="noopener">https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing</A></P> <P>&nbsp;</P> <P><SPAN>As an example, if you enter 199.167.52.5/32, only one IP address is allowed. If you enter 199.167.52.0/24, it allows all IP addresses within the range of 199.167.52.0 to 199.167.52.255.</SPAN></P> <P>&nbsp;</P> <P>In that way, you won't have to detect and remediate twitter API endpoint address(es) in your security group(s).&nbsp; Rather, you trust the range of IP addresses that twitter's API endpoints may occupy.</P> Thu, 23 Feb 2023 13:46:06 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/for-outbound-rules-for-instances-that-need-access-to-external/m-p/532001#M898 TommyHunt 2023-02-23T13:46:06Z