Ensure no Network ACLs allow ingress from to remote server administration ports

The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.

Risk Level: High
Cloud Entity: Amazon NACL
CloudGuard Rule ID: D9.CFT.NET.01
Covered by Spectral: Yes
Category: Networking & Content Delivery


AWS_EC2_NetworkAclEntry where Egress!=true should not have (CidrBlock='' and RuleAction='allow')


From CFT
Set AWS::EC2::NetworkAclEntry CidrBlock property to be other than '' for an ingress network


  1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

Amazon NACL

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Compliance Frameworks

  • AWS CloudFormation ruleset