Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Unrestricted Network ACL Outbound Traffic

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-010

Check your Amazon VPC Network Access Control Lists (NACLs) for outbound/egress rules that allow traffic to all ports and restrict access to the required ports only in order to implement the Principle of Least Privilege and reduce the possibility of a breach at the subnet level.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Controlling the outbound traffic of one or more VPC subnets by opening just the ports required by your applications will add an additional layer of security to your Amazon VPC network.

Audit

To determine if your Network ACLs (NACLs) allow outbound traffic to all ports, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. In the navigation panel, under SECURITY, choose Network ACLs.

  4. Select the Network ACL (NACL) that you want to examine.

  5. Choose the Outbound rules tab from the console bottom panel and check the value available in the Port Range column for each ALLOW rule. If one or more ALLOW rules have the Port Range value set to All, the selected Amazon VPC Network ACL allows outbound/egress traffic to all ports, therefore the access to the Internet for any VPC subnets associated with your Network ACL (NACL) is not restricted.

  6. Repeat steps no. 4 and 5 for other Network ACLs available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

    aws ec2 describe-network-acls
				--region us-east-1
				--output table
				--query 'NetworkAcls[*].NetworkAclId'

  2. The command output should return a table with the requested NACL IDs:

    ---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

  3. Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the outbound ALLOW rules defined for the selected NACL:

    aws ec2 describe-network-acls
				--region us-east-1
				--network-acl-ids acl-abcd1234
				--query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`true`)] | []'

  4. The command output should return the ALLOW rule(s) configured for outbound traffic:

    [
				{
					"RuleNumber": 100,
					"Protocol": "-1",
					"Egress": true,
					"CidrBlock": "0.0.0.0/0",
					"RuleAction": "allow"
				}
]

    Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. If an ALLOW rule does not have a "PortRange" attribute defined, as shown in the output example above, the rule allows outbound/egress traffic to all ports, therefore the access to the Internet for the VPC subnets associated with the selected Network ACL (NACL) is not restricted.

  5. Repeat steps no. 3 and 4 for other Amazon VPC Network ACLs available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your Network ACL outbound rules in order to allow traffic to specific destination port or destination port range only, perform the following actions:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
				"AWSTemplateFormatVersion": "2010-09-09",
				"Description": "Allow Traffic to Specific Destination Port/Port Range Only",
				"Resources": {
				"AWSVPCNetwork": {
				"Type": "AWS::EC2::VPC",
				"Properties": {
					"CidrBlock": "10.0.0.0/16",
					"EnableDnsHostnames": true,
					"EnableDnsSupport": true,
					"InstanceTenancy": "default"
				}
				},
				"VPCNetworkACL": {
					"Type": "AWS::EC2::NetworkAcl",
					"Properties": {
						"VpcId": {
						"Ref": "AWSVPCNetwork"
						}
					}
				},
				"HTTPTrafficOutboundRule": {
					"Type": "AWS::EC2::NetworkAclEntry",
					"Properties": {
						"NetworkAclId": {
							"Ref": "VPCNetworkACL"
						},
						"RuleNumber": 100,
						"Protocol": 6,
						"RuleAction": "allow",
						"CidrBlock": "0.0.0.0/0",
						"Egress": true,
						"PortRange": {
							"From": 80,
							"To": 80
						}
					}
				},
				"DNSTrafficOutboundRule": {
					"Type": "AWS::EC2::NetworkAclEntry",
					"Properties": {
						"NetworkAclId": {
							"Ref": "VPCNetworkACL"
						},
						"RuleNumber": 200,
						"Protocol": 6,
						"RuleAction": "allow",
						"CidrBlock": "0.0.0.0/0",
						"Egress": true,
						"PortRange": {
							"From": 53,
							"To": 53
						}
					}
				}
				}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Traffic to Specific Destination Port/Port Range Only
Resources:
				AWSVPCNetwork:
				Type: AWS::EC2::VPC
				Properties:
				CidrBlock: 10.0.0.0/16
				EnableDnsHostnames: true
				EnableDnsSupport: true
				InstanceTenancy: default
				VPCNetworkACL:
				Type: AWS::EC2::NetworkAcl
				Properties:
				VpcId: !Ref 'AWSVPCNetwork'
				HTTPTrafficOutboundRule:
				Type: AWS::EC2::NetworkAclEntry
				Properties:
				NetworkAclId: !Ref 'VPCNetworkACL'
				RuleNumber: 100
				Protocol: 6
				RuleAction: allow
				CidrBlock: '0.0.0.0/0'
				Egress: true
				PortRange:
					From: 80
					To: 80
				DNSTrafficOutboundRule:
				Type: AWS::EC2::NetworkAclEntry
				Properties:
				NetworkAclId: !Ref 'VPCNetworkACL'
				RuleNumber: 200
				Protocol: 6
				RuleAction: allow
				CidrBlock: '0.0.0.0/0'
				Egress: true
				PortRange:
					From: 53
					To: 53

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
				required_providers {
				aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
				}
				}

				required_version = ">= 0.14.9"
}

provider "aws" {
				region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
				cidr_block = "10.0.0.0/16"
				enable_dns_hostnames = true
				enable_dns_support = true
				instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
				vpc_id = aws_vpc.aws-vpc-network.id
}

# Allow Traffic to Specific Destination Port/Port Range Only (HTTP Traffic)
resource "aws_network_acl_rule" "ssh-access-inbound-rule" {
				network_acl_id = aws_network_acl.vpc-network-acl.id
				rule_number    = 100
				egress         = true
				protocol       = "tcp"
				rule_action    = "allow"
				cidr_block     = "0.0.0.0/0"
				from_port      = 80
				to_port        = 80
}

# Allow Traffic to Specific Destination Port/Port Range Only (DNS Traffic)
resource "aws_network_acl_rule" "rdp-access-inbound-rule" {
				network_acl_id = aws_network_acl.vpc-network-acl.id
				rule_number    = 200
				egress         = true
				protocol       = "tcp"
				rule_action    = "allow"
				cidr_block     = "0.0.0.0/0"
				from_port      = 53
				to_port        = 53
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. In the navigation panel, under SECURITY, choose Network ACLs.

  4. Select the Network ACL (NACL) that you want to reconfigure.

  5. Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.

  6. On the Edit outbound rules configuration page, perform the following operations:

    1. Choose the ALLOW rule that you want to reconfigure and change the following attributes:
      • Select a predefined type of traffic from the Type dropdown list, except the All traffic predefined type which allows outbound/egress traffic to all ports. For example, to add a rule for HTTP traffic, choose HTTP and the AWS console will fill in the port number for you. To use a custom protocol, choose the Custom Protocol type and select the desired (supported) protocol from the Protocol dropdown list.
      • In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0).
      • Select Allow from the Allow/Deny dropdown list to allow the outbound traffic from specified source port or source port range.
    2. (Optional) To add another ALLOW rule, choose Add new rule and repeat step a. as required.
    3. Choose Save changes to apply the changes.

  7. Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow outbound traffic to all ports.

  8. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the outbound/egress rule(s) that allow traffic to all ports. The following command example replaces a non-compliant outbound ALLOW rule, identified by the number 100, with an HTTP rule that allows access to TCP port 80 only, within a Network ACL identified by the ID acl-abcd1234 (the command does not produce an output):

    aws ec2 replace-network-acl-entry
				--region us-east-1
				--network-acl-id acl-abcd1234
				--egress
				--rule-number 100
				--protocol tcp
				--port-range From=80,To=80
				--cidr-block 0.0.0.0/0
				--rule-action allow

  2. (Optional) To create additional outbound rules for your Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates a DNS egress rule with the identification number set to 200, that allows access only to TCP port 53 only, within a NACL identified by the ID acl-1234abcd (the command does not return an output):

    aws ec2 create-network-acl-entry
				--region us-east-1
				--network-acl-id acl-1234abcd
				--egress
				--rule-number 200
				--protocol tcp
				--port-range From=53,To=53
				--cidr-block 0.0.0.0/0
				--rule-action allow

  3. Repeat steps no. 1 and 2 to reconfigure other Amazon VPC Network ACLs that allow egress traffic to all ports.

  4. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Feb 24, 2017

Related VPC rules