Ensure that your AWS Network Access Control Lists (NACLs) do not have ineffective or misconfigured DENY rules that promotes overly-permissive access to your VPC. An AWS Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), basically a network firewall where you can set rules that allow or deny access to a specific port or IP range. An AWS NACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule (e.g. 100), to determine whether the traffic is allowed in or out of the associated VPC subnet(s). The order of the DENY rules within your Network ACLs is crucial as these are evaluated in order and any ineffective or deficient DENY rule can be applied regardless of any higher-numbered rule that may contradict it.
This rule resolution is part of the Cloud Conformity solution
Using effective NACL DENY rules to regulate the traffic to and from your VPC will add an additional layer of security and protect against malicious activity such as such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.
Note: As example, this rule Cloud Conformity assumes that the verified NACL(s) are assigned to a public subnet with instances that can receive and send Internet traffic over port 80 (HTTP) and ephemeral ports 1024-65535 and block entirely the traffic over port 2049 (NFS), port vulnerable to denial of service attacks.
Audit
To determine if your AWS Network ACLs have ineffective or misconfigured DENY rules, perform the following:
Remediation / Resolution
To reconfigure any ineffective AWS NACL DENY rules in order to block the traffic to the necessary port at the subnet level, perform the following:
References
- AWS Documentation
- Network ACLs
- Recommended Network ACL Rules for Your VPC
- Amazon VPC FAQs
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-network-acls
- replace-network-acl-entry
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Ineffective Network ACL DENY Rules
Risk level: High