Description:
Regulating the subnet's inbound/ingress traffic by opening just the ports required by your applications will add a layer of security to your VPC and protect against malicious activity such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.
Rationale:
Check your AWS Network Access Control Lists (NACLs) for inbound rules that allow traffic from all ports and limit access to the required ports or port ranges only to implement the principle of least privilege and reduce the possibility of unauthorized access at the subnet level.
Impact:
If we allow inbound/ingress traffic from 0.0.0.0/0 to SSH port 22 your VPC will be at risk and there is a chance that your VPC might be attacked by some malicious activity such as Denial of service.
Default Value:
VPC automatically comes with default NACLs. By default, NACLs deny all inbound/ingress traffic.
Pre-Requisites:
Sign as admin or IAM user with required permissions
Remediation:
Test Plan :
Sign in to the AWS Management Console.
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/.
In the left navigation panel, under the SECURITY section, choose Network ACLs.
Select the Network ACL that you want to examine.
Select the Inbound Rules tab from the dashboard bottom panel.
Verify the value available in the Port Range column for any inbound NACL rules defined.
- If you found any rule allowing traffic from 0.0.0.0/0 to SSH port, do follow the implementation steps
Using AWS CLI:
aws ec2 describe-network-acls --select your region --network-acl-ids <value> --query 'NetworkAcls[*].Entries[]'
Implementation:
Sign in to the AWS Management Console.
Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/
Select the Network ACL that you want to reconfigure (see Audit section part I to identify the right resource).
Select the Inbound Rules tab from the dashboard bottom panel.
Click the Edit inbound rules button
In the source column select the particular IP or range of IPs you need to allow and set Allow, by doing this you are allowing trusted IPs to have access
- If you want all the traffic need to be blocked choose 0.0.0.0/0 as the source and set it to Deny. so that you are restricting all IPs
- Click on Save Changes.
Using AWS CLI:
aws ec2 replace-network-acl-entry --select your region --network-acl-id <value> --ingress --rule-number 100 --protocol tcp --port-range From=22,To=22 --cidr-block 0.0.0.0/0 --rule-action deny
Backout Plan:
Sign in to the AWS Management Console.
Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/
In the navigation panel, under the SECURITY section, choose Network ACLs.
Select the Network ACL that you want to reconfigure
Select the Inbound Rules tab from the dashboard bottom panel.
Click the Edit button to change the current configuration and revert the changes made.
Save the changes.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html