Guides

Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.

Suggest Edits

Risk Level: High
Cloud Entity: Amazon NACL
CloudGuard Rule ID: D9.AWS.NET.73
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

NACL should not have inbound with [ source='0.0.0.0/0' and action='ALLOW' and ( ( destinationPort<=22 and destinationPortTo>=22 ) or ( destinationPort<=3389 and destinationPortTo>=3389 ) ) ]

REMEDIATION

From Portal

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Network ACLs
  3. For each network ACL to remediate, perform the following:
  • Select the network ACL
  • Click the Inbound Rules tab
  • Click Edit inbound rules
  • Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click Delete to remove the offending inbound rule
  • Click Save

From TF

Change cidr_block in a terraform file to a specific IP or IP range:
resource "aws_network_acl" "main" {
	...
	ingress {
		...
		cidr_block = "IP_OR_IP_RANGE"
	}
}

From Command Line
To replace an existing inbound rule, run:

aws ec2 replace-network-acl-entry --network-acl-id NETWORK-ACL-ID --ingress --rule-number RULE-NUMBER --protocol PROTOCOL --port-range From=FROM-PORT,To=TO-PORT --cidr-block RESTRICTIVE-CIDR --rule-action allow

References

  1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl
  3. https://docs.aws.amazon.com/cli/latest/reference/ec2/replace-network-acl-entry.html

Amazon NACL

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset

Updated about 1 year ago