Ineffective Network ACL DENY Rules

Risk level: High (not acceptable risk)

Rule ID: VPC-015

Ensure that your AWS Network Access Control Lists (NACLs) do not have ineffective or misconfigured DENY rules that promotes overly-permissive access to your VPC. An AWS Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), basically a network firewall where you can set rules that allow or deny access to a specific port or IP range. An AWS NACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule (e.g. 100), to determine whether the traffic is allowed in or out of the associated VPC subnet(s). The order of the DENY rules within your Network ACLs is crucial as these are evaluated in order and any ineffective or deficient DENY rule can be applied regardless of any higher-numbered rule that may contradict it.

This rule resolution is part of the Cloud Conformity solution

Security

Using effective NACL DENY rules to regulate the traffic to and from your VPC will add an additional layer of security and protect against malicious activity such as such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.

Note: As example, this rule Cloud Conformity assumes that the verified NACL(s) are assigned to a public subnet with instances that can receive and send Internet traffic over port 80 (HTTP) and ephemeral ports 1024-65535 and block entirely the traffic over port 2049 (NFS), port vulnerable to denial of service attacks.

Audit

To determine if your AWS Network ACLs have ineffective or misconfigured DENY rules, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Verify the DENY rule defined to block inbound traffic to vulnerable port 2049 for the selected Network ACL. If the rule does not block access to everyone (0.0.0.0/0), e.g.

If the rule does not block access to everyone

Note: IPv6 CIDR block is (::/0)

the verified inbound DENY rule is declared ineffective and should be reconfigured to protect against DOS/DDOS attacks. Since AWS NACL rules are processed in order to decide whether to allow or deny traffic, as soon as the faulty DENY rule matches traffic, it's applied regardless of any higher-numbered rule that could contradict it, e.g.

07 Select the Outbound Rules tab from the dashboard bottom panel and repeat step no. 6 to determine if the outbound DENY rule is also ineffective within the current setup.

08 Repeat steps no. 4 – 7 to verify other Amazon Network ACLs available in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS NACLs currently available in the selected region:

aws ec2 describe-network-acls
	--region us-east-1
	--output table
	--query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|  acl-ca53db46     |
|  acl-ab3fa019     |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using an ID returned at the previous step as identifier and custom filtering (using JMESPath query language for JSON) to list all the inbound and outbound DENY rules defined for the selected Network ACL:

aws ec2 describe-network-acls
	--region us-east-1
	--network-acl-ids acl-ca53db46
	--query 'NetworkAcls[*].Entries[?(RuleAction==`deny`)]'

04 The command output should return the metadata for the requested rules:

[
    [
        {
            "RuleNumber": 150,
            "Protocol": "6",
            "PortRange": {
                "To": 2049,
                "From": 2049
            },
            "Egress": true,
            "RuleAction": "deny",
            "CidrBlock": "54.209.0.0/16"
        },
        {
            "CidrBlock": "0.0.0.0/0",
            "RuleNumber": 32767,
            "Protocol": "-1",
            "Egress": true,
            "RuleAction": "deny"
        },

        ...

        {
            "RuleNumber": 150,
            "Protocol": "6",
            "PortRange": {
                "To": 2049,
                "From": 2049
            },
            "Egress": false,
            "RuleAction": "deny",
            "CidrBlock": "54.209.0.0/16"
        },
        {
            "CidrBlock": "0.0.0.0/0",
            "RuleNumber": 32767,
            "Protocol": "-1",
            "Egress": false,
            "RuleAction": "deny"
        }
    ]
]

Each JSON object returned at the previous step, separated by a comma, represents a NACL DENY rule. Now determine if any of these inbound/outbound rules have the CidrBlock parameter value different than "0.0.0.0/0". If there are any rules with CidrBlock value set to a specific IP or an IP range other than 0.0.0.0/0, e.g. 54.209.0.0/16, the DENY rules defined for the selected AWS Network ACL are declared ineffective and should be reconfigured. Since AWS NACL rules are evaluated in order to decide whether to allow or deny traffic, as soon as the ineffective DENY rule matches traffic, it's applied regardless of any higher-numbered rule that could contradict it.

Note: IPv6 CIDR block is (::/0)

05 Repeat step no. 3 and 4 to verify other Amazon Network ACLs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To reconfigure any ineffective AWS NACL DENY rules in order to block the traffic to the necessary port at the subnet level, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure.

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Click the Edit button to update the selected NACL inbound rules.

07 Choose the ineffective DENY rule (see Audit section part I to identify the right inbound rule) and replace the IP address/IP range defined within the Source box with 0.0.0.0/0. The selected DENY rule must keep the existing rule number within the current configuration as the NACL rules are evaluated in order to decide whether to allow or deny traffic. By setting the Source address to 0.0.0.0/0, the incoming traffic is restricted to the entire Internet not just to a specific machine or network.

Note: IPv6 address to ::/0

08 Click Save to apply the changes.

09 Select the Outbound Rules tab from the dashboard bottom panel and repeat steps no. 6 – 8 to reconfigure any ineffective outbound DENY rule in order to block the outgoing traffic. Once the outbound rule is updated, click Save to apply the changes.

10 Repeat steps no. 4 – 9 to reconfigure any ineffective DENY rules defined for other Amazon Network ACLs.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the overly-permissive inbound DENY rule defined within the selected Network ACL (see Audit section part II to identify the right Amazon NACL). The selected DENY rule must keep the existing rule number as the NACL rules are evaluated in order to decide whether to allow or deny traffic. The following command example replaces an ineffective DENY rule, identified by the rule number 150, with an effective one that blocks traffic to vulnerable port 2049, within an AWS Network ACL identified by the ID acl-ca53db46 (the command does not produce an output):

aws ec2 replace-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ca53db46
	--ingress
	--rule-number 150
	--protocol tcp
	--port-range From=2049,To=2049
	--cidr-block 0.0.0.0/0
	--rule-action deny

Note: If you use IPv6 CIDR block, Please change " --cidr-block 0.0.0.0/0 " to " --ipv6-cidr-block ::/0".

02 Run again replace-network-acl-entry command (OSX/Linux/UNIX) and change the --ingress attribute with --egress in order to replace the ineffective outbound DENY rule defined within the selected Network ACL. The following command example replaces an ineffective DENY outbound rule, identified by the rule number 150, with the one that blocks entirely the traffic to vulnerable port 2049, within an AWS NACL identified by the ID acl-ca53db46 (the command does not return an output):

aws ec2 replace-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ca53db46
	--egress
	--rule-number 150
	--protocol tcp
	--port-range From=2049,To=2049
	--cidr-block 0.0.0.0/0
	--rule-action deny

Note: If you use IPv6 CIDR block, Please change " --cidr-block 0.0.0.0/0 " to " --ipv6-cidr-block ::/0".

03 Repeat step no. 1 and 2 to reconfigure any ineffective DENY rules defined for other Amazon Network ACLs.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

AWS Documentation
Network ACLs
Recommended Network ACL Rules for Your VPC
Amazon VPC FAQs

AWS Command Line Interface (CLI) Documentation
ec2
describe-network-acls
replace-network-acl-entry

Publication date May 2, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Ineffective Network ACL DENY Rules

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related VPC rules