Unrestricted Network ACL Inbound Traffic

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Verify the value available in the Port Range column for any inbound NACL rules defined. If one or more rules have the Port Range attribute value set to ALL, i.e.

the selected AWS Network ACL allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with your Network ACL is not restricted.

07 Repeat steps no. 4 – 6 to verify other Amazon Network ACLs available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run describe-network-acls command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS NACLs currently available in the selected region:

aws ec2 describe-network-acls
	--region us-east-1
	--output table
	--query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|  acl-ba5fdb81     |
|  acl-db3fa052     |
|  acl-c02b5f17     |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID returned at the previous step as identifier and custom filtering to list all the rules defined for the selected Network ACL:

aws ec2 describe-network-acls
	--region us-east-1
	--network-acl-ids acl-ba5fdb81
	--query 'NetworkAcls[*].Entries[]'

04 The command output should return the metadata for the requested rules:

[
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": true,
        "RuleAction": "deny"
    },

    ...

    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "allow"
    },
    {
        "CidrBlock": "0.0.0.0/0",
        "RuleNumber": 32767,
        "Protocol": "-1",
        "Egress": false,
        "RuleAction": "deny"
    }
]

05 Repeat step no. 3 and 4 to verify other Amazon Network ACLs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Inbound Rules tab from the dashboard bottom panel.

06 Click the Edit button to update the current configuration by performing the following actions:

1. In Rule # box, enter a unique number (for example, 100). To make it easier to add later a new rule without having to renumber the existing rules, AWS recommends leaving gaps between the rule numbers (such as 100, 200, 300), rather than using sequential numbers (e.g. 101, 102, 103).
2. Select a predefined rule from the Type dropdown list that is not allowing inbound/ingress traffic from all ports. For example, to add a rule for HTTPS, choose HTTPS and AWS will fill in the port number for you. To use a protocol that is not predefined, choose Custom Protocol Rule and select it from the Protocol list. If the chosen protocol requires a port number, enter the necessary port number or port range separated by a hyphen (for example, 2049-2055) in the Port Range box.
3. In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0 or ::/0).
4. From the Allow / Deny dropdown list, select ALLOW to allow the inbound traffic from specified source port or source port range.
5. (Optional) To add another inbound rule, click Add another rule button and repeat steps a. to d. as required.
6. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Amazon Network ACLs that allow inbound traffic to all ports.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rule(s) that allow traffic from all ports (see Audit section part II to identify the right Amazon NACL). The following command example replaces an existing inbound rule, identified by the rule number 100, with an HTTPS rule that allows access only from port 443, within an AWS Network ACL identified by the ID acl-ba5fdb81 (the command does not produce an output):

aws ec2 replace-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ba5fdb81
	--ingress
	--rule-number 100
	--protocol tcp
	--port-range From=443,To=443
	--cidr-block 0.0.0.0/0
	--rule-action allow

02 (Optional) To create additional inbound rules within your AWS Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an SSH ingress rule with the identification number set to 200, that allows access only from port 22 (TCP), within an Amazon Network ACL identified by the ID acl-ba5fdb81 (the command does not return an output):

aws ec2 create-network-acl-entry
	--region us-east-1
	--network-acl-id acl-ba5fdb81
	--ingress
	--rule-number 200
	--protocol tcp
	--port-range From=22,To=22
	--cidr-block 105.20.77.67/32
	--rule-action allow

03 Repeat step no. 1 and 2 (optional) to reconfigure other Amazon Network ACLs that allow inbound traffic from all ports.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.