Description:
The Network Access Control List(NACL) function provides stateless filtering of inbound/ingress network traffic to AWS resources. Regulating the subnet’s inbound/ingress traffic by opening just the ports required by your applications will add a layer of security to your VPC and protect against malicious activity such as Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks.
Rationale:
Check your AWS Network Access Control Lists (NACLs) for inbound rules that allow traffic from all ports and limit access to the required ports or port ranges only to implement the principle of least privilege and reduce the possibility of unauthorized access at the subnet level.
Impact:
If we allow inbound/ingress from 0.0.0.0/0 to Microsoft RDP port 3389 there might be a chance of attacks such as Denial of Service.
Default Value:
VPC automatically comes with default NACLs. By default, NACLs deny all inbound/ingress traffic.
Pre-Requisites:
Sign as admin or IAM user with required permissions
Remediation:
Test Plan:
Sign in to the AWS Management Console.
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/.
In the left navigation panel, under the SECURITY section, choose Network ACLs.
Select the Network ACL that you want to examine.
Select the Inbound Rules tab from the dashboard bottom panel.
Verify the value available in the Port Range column for any inbound NACL rules defined.
If you found any rule allowing traffic from 0.0.0.0/0 to RDP port 3389, it means allowing unrestricted traffic to port 3389, do follow the implementation steps
Using AWS CLI:
aws ec2 describe-network-acls
Implementation:
Sign in to the AWS Management Console.
Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/
In the navigation panel, under the SECURITY section, choose Network ACLs.
- Select the Network ACL that you want to reconfigure (see Audit section to identify the right resource).
- Select the Inbound Rules tab from the dashboard bottom panel.
- Click on the Edit Inbound Rules button
- In the source column select the particular IP or range of IPs you need to allow and set Allow, by doing this you are allowing trusted IPs to have access
- or
If you want all the traffic need to be blocked choose 0.0.0.0/0 as the source and set it to Deny. so that you are restricting all IPs - Click on Save changes.
Using AWS CLI:
aws ec2 replace-network-acl-entry --select your region --network-acl-id acl-ba5fdb81 --ingress --rule-number 100 --protocol tcp --port-range From=3389,To=3389 --cidr-block 0.0.0.0/0 --rule-action deny
Backout Plan:
Sign in to the AWS Management Console.
Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/
In the navigation panel, under the SECURITY section, choose Network ACLs.
Select the Network ACL that you want to reconfigure (see Test Plan section part I to identify the right resource).
Select the Inbound Rules tab from the dashboard bottom panel.
Click the Edit button to change the current configuration and revert the changes made.
Save the changes.
References:
Control traffic to subnets with Network ACLs - Amazon Virtual Private Cloud