Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22
and RDP to port 3389
.
Risk Level: High
Cloud Entity: Amazon NACL
CloudGuard Rule ID: D9.CFT.NET.01
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
AWS_EC2_NetworkAclEntry where Egress!=true should not have (CidrBlock='0.0.0.0/0' and RuleAction='allow')
REMEDIATION
From CFT
Set AWS::EC2::NetworkAclEntry CidrBlock
property to be other than '0.0.0.0/0' for an ingress network
References
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
Amazon NACL
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago