Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted Network ACL Inbound Traffic

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-011

Check your Amazon VPC Network Access Control Lists (NACLs) for inbound rules that allow traffic from all ports and limit access to the required ports or port ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the possibility of unauthorized access at the subnet level.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Regulating the VPC subnets inbound/ingress traffic by opening just the ports required by your applications, will add an additional layer of security to your VPC network and protect against malicious activities such as such as Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.


Audit

To determine if your Network ACLs (NACLs) allow inbound traffic from all ports, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to examine.

05 Choose the Inbound rules tab from the console bottom panel and check the value available in the Port Range column for each ALLOW rule. If one or more ALLOW rules have the Port Range value set to All, the selected Amazon VPC Network ACL allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with your Network ACL is not restricted.

06 Repeat steps no. 4 and 5 for other Network ACLs available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested NACL IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the inbound ALLOW rules defined for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'

04 The command output should return the ALLOW rule(s) configured for inbound traffic:

[
    {
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": false,
        "CidrBlock": "0.0.0.0/0",
        "RuleAction": "allow"
    }
]

Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. If an ALLOW rule does not have a "PortRange" attribute defined, as shown in the output example above, the rule allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with the selected Network ACL (NACL) is not restricted.

05 Repeat steps no. 3 and 4 for other Amazon VPC Network ACLs available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your Network ACL inbound rules in order to allow traffic from specific source port or source port range only, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Allow Traffic from Specific Source Port/Port Range Only",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "VPCNetworkACL": {
        "Type": "AWS::EC2::NetworkAcl",
        "Properties": {
            "VpcId": {
              "Ref": "AWSVPCNetwork"
            }
        }
    },
    "HTTPSTrafficInboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "0.0.0.0/0",
            "PortRange": {
                "From": 443,
                "To": 443
            }
        }
    },
    "SSHTrafficInboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 200,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "10.0.0.67/32",
            "PortRange": {
                "From": 22,
                "To": 22
            }
        }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Traffic from Specific Source Port/Port Range Only
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  VPCNetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref 'AWSVPCNetwork'
  HTTPSTrafficInboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 100
      Protocol: 6
      RuleAction: allow
      CidrBlock: '0.0.0.0/0'
      PortRange:
        From: 443
        To: 443
  SSHTrafficInboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 200
      Protocol: 6
      RuleAction: allow
      CidrBlock: 10.0.0.67/32
      PortRange:
        From: 22
        To: 22

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
  vpc_id = aws_vpc.aws-vpc-network.id
}

# Allow Traffic from Specific Source Port/Port Range Only (HTTPS Traffic)
resource "aws_network_acl_rule" "https-traffic-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 100
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
  from_port      = 443
  to_port        = 443
}

# Allow Traffic from Specific Source Port/Port Range Only (SSH Traffic)
resource "aws_network_acl_rule" "ssh-traffic-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "10.0.0.67/32"
  from_port      = 22
  to_port        = 22
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, perform the following actions:

  1. Choose the ALLOW rule that you want to reconfigure and change the following attributes:
    • Select a predefined type of traffic from the Type dropdown list, except the All traffic predefined type which allows inbound/ingress traffic from all ports. For example, to add a rule for HTTPS traffic, choose HTTPS and the AWS console will fill in the port number for you. To use a custom protocol, choose the Custom Protocol type and select the desired (supported) protocol from the Protocol dropdown list.
    • In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0).
    • Select Allow from the Allow/Deny dropdown list to allow the inbound traffic from specified source port or source port range.
  2. (Optional) To add another ALLOW rule, choose Add new rule and repeat step a. as required.
  3. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow inbound traffic from all ports.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rule(s) that allow traffic from all ports. The following command example replaces a non-compliant inbound ALLOW rule, identified by the rule number 100, with an HTTPS rule that allows access for TCP port 443 only, within a Network ACL identified by the ID acl-abcd1234 (the command does not produce an output):

aws ec2 replace-network-acl-entry
  --region us-east-1
  --network-acl-id acl-abcd1234
  --ingress
  --rule-number 100
  --protocol tcp
  --port-range From=443,To=443
  --cidr-block 0.0.0.0/0
  --rule-action allow

02 (Optional) To create additional inbound ALLOW rules for your Network ACL (NACL) run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an SSH ingress rule with the identification number set to 200, that allows access for TCP port 22 only, within a NACL identified by the ID acl-1234abcd (the command does not return an output):

aws ec2 create-network-acl-entry
  --region us-east-1
  --network-acl-id acl-1234abcd
  --ingress
  --rule-number 200
  --protocol tcp
  --port-range From=22,To=22
  --cidr-block 10.0.0.67/32
  --rule-action allow

03 Repeat steps no. 1 and 2 to reconfigure other Amazon VPC Network ACLs that allow ingress traffic from all ports.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Feb 24, 2017