Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22
and RDP to port 3389
.
Risk Level: High
Cloud Entity: Amazon NACL
CloudGuard Rule ID: D9.AWS.NET.73
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NACL should not have inbound with [ source='0.0.0.0/0' and action='ALLOW' and ( ( destinationPort<=22 and destinationPortTo>=22 ) or ( destinationPort<=3389 and destinationPortTo>=3389 ) ) ]
REMEDIATION
From Portal
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- In the left pane, click
Network ACLs
- For each network ACL to remediate, perform the following:
- Select the network ACL
- Click the
Inbound Rules
tab - Click
Edit inbound rules
- Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click
Delete
to remove the offending inbound rule - Click
Save
From TF
Change cidr_block in a terraform file to a specific IP or IP range:
resource "aws_network_acl" "main" {
...
ingress {
...
cidr_block = "IP_OR_IP_RANGE"
}
}
From Command Line
To replace an existing inbound rule, run:
aws ec2 replace-network-acl-entry --network-acl-id NETWORK-ACL-ID --ingress --rule-number RULE-NUMBER --protocol PROTOCOL --port-range From=FROM-PORT,To=TO-PORT --cidr-block RESTRICTIVE-CIDR --rule-action allow
References
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl
- https://docs.aws.amazon.com/cli/latest/reference/ec2/replace-network-acl-entry.html
Amazon NACL
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.4.0.1
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago