eli-383 restricting http out from VPC beyond account/VPC level

[eddalmond1]

Description

Adding further restrictions on HTTP out from our VPC

Context

From pen test:

A security group was configured that allowed overly permissive ingress and egress access to HTTPS. As each subnet associated with the security group was private and had no route to the Internet, this configuration presented a reduced risk. Despite this, permitting all outbound traffic flows did not reflect security best practice, which recommends that access from resources to other services be restricted in as granular a manner as possible.

The following table shows the affected Security Group rules:

sg-078a48e2cbe15c84d

This is the 'main-vpc' SG, we should look at restricting it:

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.