Unrestricted Network ACL Inbound Traffic

Sign in to the AWS Management Console.

Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

In the navigation panel, under SECURITY, choose Network ACLs.

Select the Network ACL (NACL) that you want to examine.

Choose the Inbound rules tab from the console bottom panel and check the value available in the Port Range column for each ALLOW rule. If one or more ALLOW rules have the Port Range value set to All, the selected Amazon VPC Network ACL allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with your Network ACL is not restricted.

Repeat steps no. 4 and 5 for other Network ACLs available within the current AWS region.

Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

The command output should return a table with the requested NACL IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the inbound ALLOW rules defined for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'

The command output should return the ALLOW rule(s) configured for inbound traffic:

[
    {
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": false,
        "CidrBlock": "0.0.0.0/0",
        "RuleAction": "allow"
    }
]

Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. If an ALLOW rule does not have a "PortRange" attribute defined, as shown in the output example above, the rule allows inbound/ingress traffic from all ports, therefore the access to the VPC subnets associated with the selected Network ACL (NACL) is not restricted.

Repeat steps no. 3 and 4 for other Amazon VPC Network ACLs available in the selected AWS region.

Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

CloudFormation template (JSON):

{
				"AWSTemplateFormatVersion": "2010-09-09",
				"Description": "Allow Traffic from Specific Source Port/Port Range Only",
				"Resources": {
				"AWSVPCNetwork": {
				"Type": "AWS::EC2::VPC",
				"Properties": {
					"CidrBlock": "10.0.0.0/16",
					"EnableDnsHostnames": true,
					"EnableDnsSupport": true,
					"InstanceTenancy": "default"
				}
				},
				"VPCNetworkACL": {
					"Type": "AWS::EC2::NetworkAcl",
					"Properties": {
						"VpcId": {
						"Ref": "AWSVPCNetwork"
						}
					}
				},
				"HTTPSTrafficInboundRule": {
					"Type": "AWS::EC2::NetworkAclEntry",
					"Properties": {
						"NetworkAclId": {
							"Ref": "VPCNetworkACL"
						},
						"RuleNumber": 100,
						"Protocol": 6,
						"RuleAction": "allow",
						"CidrBlock": "0.0.0.0/0",
						"PortRange": {
							"From": 443,
							"To": 443
						}
					}
				},
				"SSHTrafficInboundRule": {
					"Type": "AWS::EC2::NetworkAclEntry",
					"Properties": {
						"NetworkAclId": {
							"Ref": "VPCNetworkACL"
						},
						"RuleNumber": 200,
						"Protocol": 6,
						"RuleAction": "allow",
						"CidrBlock": "10.0.0.67/32",
						"PortRange": {
							"From": 22,
							"To": 22
						}
					}
				}
				}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Traffic from Specific Source Port/Port Range Only
Resources:
				AWSVPCNetwork:
				Type: AWS::EC2::VPC
				Properties:
				CidrBlock: 10.0.0.0/16
				EnableDnsHostnames: true
				EnableDnsSupport: true
				InstanceTenancy: default
				VPCNetworkACL:
				Type: AWS::EC2::NetworkAcl
				Properties:
				VpcId: !Ref 'AWSVPCNetwork'
				HTTPSTrafficInboundRule:
				Type: AWS::EC2::NetworkAclEntry
				Properties:
				NetworkAclId: !Ref 'VPCNetworkACL'
				RuleNumber: 100
				Protocol: 6
				RuleAction: allow
				CidrBlock: '0.0.0.0/0'
				PortRange:
					From: 443
					To: 443
				SSHTrafficInboundRule:
				Type: AWS::EC2::NetworkAclEntry
				Properties:
				NetworkAclId: !Ref 'VPCNetworkACL'
				RuleNumber: 200
				Protocol: 6
				RuleAction: allow
				CidrBlock: 10.0.0.67/32
				PortRange:
					From: 22
					To: 22

Terraform configuration file (.tf):

terraform {
				required_providers {
				aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
				}
				}

				required_version = ">= 0.14.9"
}

provider "aws" {
				region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
				cidr_block = "10.0.0.0/16"
				enable_dns_hostnames = true
				enable_dns_support = true
				instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
				vpc_id = aws_vpc.aws-vpc-network.id
}

# Allow Traffic from Specific Source Port/Port Range Only (HTTPS Traffic)
resource "aws_network_acl_rule" "https-traffic-inbound-rule" {
				network_acl_id = aws_network_acl.vpc-network-acl.id
				rule_number    = 100
				egress         = false
				protocol       = "tcp"
				rule_action    = "allow"
				cidr_block     = "0.0.0.0/0"
				from_port      = 443
				to_port        = 443
}

# Allow Traffic from Specific Source Port/Port Range Only (SSH Traffic)
resource "aws_network_acl_rule" "ssh-traffic-inbound-rule" {
				network_acl_id = aws_network_acl.vpc-network-acl.id
				rule_number    = 200
				egress         = false
				protocol       = "tcp"
				rule_action    = "allow"
				cidr_block     = "10.0.0.67/32"
				from_port      = 22
				to_port        = 22
}

Sign in to the AWS Management Console.

Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

In the navigation panel, under SECURITY, choose Network ACLs.

Select the Network ACL (NACL) that you want to reconfigure.

Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

On the Edit inbound rules configuration page, perform the following actions:

1. Choose the ALLOW rule that you want to reconfigure and change the following attributes:
   • Select a predefined type of traffic from the Type dropdown list, except the All traffic predefined type which allows inbound/ingress traffic from all ports. For example, to add a rule for HTTPS traffic, choose HTTPS and the AWS console will fill in the port number for you. To use a custom protocol, choose the Custom Protocol type and select the desired (supported) protocol from the Protocol dropdown list.
   • In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0).
   • Select Allow from the Allow/Deny dropdown list to allow the inbound traffic from specified source port or source port range.
2. (Optional) To add another ALLOW rule, choose Add new rule and repeat step a. as required.
3. Choose Save changes to apply the changes.

Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow inbound traffic from all ports.

Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rule(s) that allow traffic from all ports. The following command example replaces a non-compliant inbound ALLOW rule, identified by the rule number 100, with an HTTPS rule that allows access for TCP port 443 only, within a Network ACL identified by the ID acl-abcd1234 (the command does not produce an output):

aws ec2 replace-network-acl-entry
  --region us-east-1
  --network-acl-id acl-abcd1234
  --ingress
  --rule-number 100
  --protocol tcp
  --port-range From=443,To=443
  --cidr-block 0.0.0.0/0
  --rule-action allow

(Optional) To create additional inbound ALLOW rules for your Network ACL (NACL) run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an SSH ingress rule with the identification number set to 200, that allows access for TCP port 22 only, within a NACL identified by the ID acl-1234abcd (the command does not return an output):

aws ec2 create-network-acl-entry
  --region us-east-1
  --network-acl-id acl-1234abcd
  --ingress
  --rule-number 200
  --protocol tcp
  --port-range From=22,To=22
  --cidr-block 10.0.0.67/32
  --rule-action allow

Repeat steps no. 1 and 2 to reconfigure other Amazon VPC Network ACLs that allow ingress traffic from all ports.

Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.