Open menu
-->

Unrestricted Network ACL Inbound Traffic

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Check your AWS Network Access Control Lists (NACLs) for inbound rules that allow traffic from all ports and limit access to the required ports or port ranges only in order to implement the principle of least privilege and reduce the possibility of unauthorized access at the subnet level.

Regulating the subnets inbound/ingress traffic by opening just the ports required by your applications will add an additional layer of security to your VPC and protect against malicious activity such as such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

Audit

To determine if your Amazon Network ACLs allow inbound traffic from all ports, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Verify the value available in the Port Range column for any inbound NACL rules defined. If one or more rules have the Port Range attribute value set to ALL, i.e.

Port Range set to ALL

the selected AWS Network ACL allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with your Network ACL is not restricted.

07 Repeat steps no. 4 – 6 to verify other Amazon Network ACLs available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS NACLs currently available in the selected region:

aws ec2 describe-network-acls
	--region us-east-1
	--output table
	--query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|  acl-ba5fdb81     |
|  acl-db3fa052     |
|  acl-c02b5f17     |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID returned at the previous step as identifier and custom filtering to list all the rules defined for the selected Network ACL:

aws ec2 describe-network-acls
	--region us-east-1
	--network-acl-ids acl-ba5fdb81
	--query 'NetworkAcls[*].Entries[]'

04 The command output should return the metadata for the requested rules:

[
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "deny"
    },

    ...

    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "deny"
    }
]

Each JSON object returned at the previous step, separated by a comma, represents a NACL rule. To identify the inbound rules for the selected NACL, check for entries (JSON objects) that have the "Egress" parameter value set to false and "RuleAction" parameter set to "allow". Now determine if any of these inbound rules have the PortRange parameter defined. If none of the verified rules have the PortRange parameter explicitly defined, the selected AWS Network ACL allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with the selected Network ACL is not restricted (i.e. the NACL configuration is not secured).

05 Repeat step no. 3 and 4 to verify other Amazon Network ACLs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update your AWS NACL inbound rules configuration in order to allow traffic from specific source port or source port range only, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Click the Edit button to update the current configuration by performing the following actions:

  1. In Rule # box, enter a unique number (for example, 100). To make it easier to add later a new rule without having to renumber the existing rules, AWS recommends leaving gaps between the rule numbers (such as 100, 200, 300), rather than using sequential numbers (e.g. 101, 102, 103).
  2. Select a predefined rule from the Type dropdown list that is not allowing inbound/ingress traffic from all ports. For example, to add a rule for HTTPS, choose HTTPS and AWS will fill in the port number for you. To use a protocol that is not predefined, choose Custom Protocol Rule and select it from the Protocol list. If the chosen protocol requires a port number, enter the necessary port number or port range separated by a hyphen (for example, 2049-2055) in the Port Range box.
  3. In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0 or ::/0).
  4. From the Allow / Deny dropdown list, select ALLOW to allow the inbound traffic from specified source port or source port range.
  5. (Optional) To add another inbound rule, click Add another rule button and repeat steps a. to d. as required.
  6. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Amazon Network ACLs that allow inbound traffic to all ports.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rule(s) that allow traffic from all ports (see Audit section part II to identify the right Amazon NACL). The following command example replaces an existing inbound rule, identified by the rule number 100, with an HTTPS rule that allows access only from port 443, within an AWS Network ACL identified by the ID acl-ba5fdb81 (the command does not produce an output):

aws ec2 replace-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ba5fdb81
	--ingress
	--rule-number 100
	--protocol tcp
	--port-range From=443,To=443
	--cidr-block 0.0.0.0/0
	--rule-action allow

02 (Optional) To create additional inbound rules within your AWS Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an SSH ingress rule with the identification number set to 200, that allows access only from port 22 (TCP), within an Amazon Network ACL identified by the ID acl-ba5fdb81 (the command does not return an output):

aws ec2 create-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ba5fdb81
	--ingress
	--rule-number 200
	--protocol tcp
	--port-range From=22,To=22
	--cidr-block 105.20.77.67/32
	--rule-action allow

03 Repeat step no. 1 and 2 (optional) to reconfigure other Amazon Network ACLs that allow inbound traffic from all ports.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Feb 24, 2017