Open menu
-->

Unrestricted Network ACL Outbound Traffic

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Check your AWS Network Access Control Lists (NACLs) for outbound rules that allow traffic from all ports and limit access to the required ports or port ranges only in order to implement the principle of least privilege and reduce the possibility of unauthorized access at the subnet level.

Controlling the outbound traffic of one or more subnets by opening just the ports required by your applications will add an additional layer of security to your VPC (a second layer of defense after security groups).

Audit

To determine if your Amazon Network ACLs rules allow outbound traffic to all ports, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Select the Outbound Rules tab from the dashboard bottom panel.

06 Verify the value available in the Port Range column for any outbound NACL rules defined. If one or more rules have the Port Range attribute value set to ALL, i.e.

Port Range ALL

the selected AWS Network ACL allows outbound/egress traffic to all ports, therefore the access to the Internet for any VPC subnets associated with your Network ACL is not restricted.

07 Repeat steps no. 4 – 6 to verify other Amazon Network ACLs available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS NACLs currently available in the selected region:

aws ec2 describe-network-acls
	--region us-east-1
	--output table
	--query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|  acl-b9fe40b3     |
|  acl-33dfdb55     |
+-------------------+

03 Run again describe-network-acls command (OSX/Linux/UNIX) using an ID returned at the previous step as identifier and custom filtering to list all the rules defined for the selected Network ACL:

aws ec2 describe-network-acls
	--region us-east-1
	--network-acl-ids acl-b9fe40b3
	--query 'NetworkAcls[*].Entries[]'

04 The command output should return the requested rules information:

[
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "deny"
    },

    ...

    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "deny"
    }
]

Each JSON object returned at the previous step, separated by a comma, represents a NACL rule (an entry). To identify the outbound rules for the selected NACL, check for entries that have the "Egress" parameter value set to true and "RuleAction" parameter set to "allow". Now determine if any of these outbound rules have the PortRange parameter defined. If none of the verified rules have the PortRange parameter explicitly defined, the selected Amazon Network ACL allows outbound/egress traffic to all ports, therefore the access to the Internet for the subnets associated with the AWS NACL is not restricted.

05 Repeat step no. 3 and 4 to verify other Amazon Network ACLs created in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update your AWS NACL outbound rules configuration in order to allow traffic to specific destination port or port range only, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Outbound Rules tab from the dashboard bottom panel.

06 Click the Edit button to update the current configuration by performing the following actions:

  1. In Rule # box, enter a unique number (for example, 100) for the current rule. To make it easier to add later a new rule without having to renumber the existing rules, AWS recommends leaving gaps between the rule numbers (such as 100, 200, 300), rather than using sequential numbers (e.g. 101, 102, 103).
  2. Select a predefined rule from the Type dropdown list that is not allowing outbound/egress traffic to all ports. For example, to add a rule for HTTP, choose HTTP and AWS will fill in the port number for you. To use a protocol that is not predefined, choose Custom Protocol Rule and select it from the Protocol list. If the selected protocol requires a port number, enter the necessary port number or port range separated by a hyphen (for example, 32770-32800) in the Port Range box.
  3. In the Destination box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0 or ::/0).
  4. From the Allow / Deny dropdown list, select ALLOW to allow the outbound traffic to specified destination port or port range.
  5. (Optional) To add another outbound rule, click Add another rule button and repeat steps a. to d. as required.
  6. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Amazon Network ACLs that allow outbound traffic to all ports.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the outbound/egress rule(s) that allow traffic to all ports (see Audit section part II to identify the right AWS NACL). The following command example replaces an existing outbound rule, identified by the number 100, with an HTTP rule that allows access only to port 80, within an AWS Network ACL identified by the ID acl-b9fe40b3 (the command does not produce an output):

aws ec2 replace-network-acl-entry
	--region us-east-1
	--network-acl-id acl-b9fe40b3
	--egress
	--rule-number 100
	--protocol tcp
	--port-range From=80,To=80
	--cidr-block 0.0.0.0/0
	--rule-action allow

02 (Optional) To create additional outbound rules within your AWS Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates a DNS egress rule with the identification number set to 200, that allows access only to port 53 (UDP), within an Amazon Network ACL identified by the ID acl-b9fe40b3 (the command does not return an output):

aws ec2 create-network-acl-entry
	--region us-east-1
	--network-acl-id acl-b9fe40b3
	--egress
	--rule-number 200
	--protocol udp
	--port-range From=53,To=53
	--cidr-block 0.0.0.0/0
	--rule-action allow

03 Repeat step no. 1 and 2 (optional) to reconfigure other Amazon Network ACLs that allow outbound traffic to all ports.

04 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Feb 24, 2017