Ensure that your AWS Network Access Control Lists (NACLs) do not have ineffective or misconfigured DENY rules that promotes overly-permissive access to your VPC. An AWS Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), basically a network firewall where you can set rules that allow or deny access to a specific port or IP range. An AWS NACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule (e.g. 100), to determine whether the traffic is allowed in or out of the associated VPC subnet(s). The order of the DENY rules within your Network ACLs is crucial as these are evaluated in order and any ineffective or deficient DENY rule can be applied regardless of any higher-numbered rule that may contradict it.
Using effective NACL DENY rules to regulate the traffic to and from your VPC will add an additional layer of security and protect against malicious activity such as such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks. Note: As example, this rule Cloud Conformity assumes that the verified NACL(s) are assigned to a public subnet with instances that can receive and send Internet traffic over port 80 (HTTP) and ephemeral ports 1024-65535 and block entirely the traffic over port 2049 (NFS), port vulnerable to denial of service attacks.
To determine if your AWS Network ACLs have ineffective or misconfigured DENY rules, perform the following:
To reconfigure any ineffective AWS NACL DENY rules in order to block the traffic to the necessary port at the subnet level, perform the following: