Description:
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Rational:
You can create a Network ACL’s and add rules that reflect the role of the instance that's associated with the Network ACL’s. For example, an instance that's configured as a web server needs Network ACL’s rules that allow inbound HTTP and HTTPS access. Likewise, a database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL.
Impact:
If you won’t setup the Network ACL’s their might be chance of attacks
Default Value:
VPC automatically comes with a default Network ACLs. If you don't specify a different Network ACLs when you launch the instance, the default Network ACLs will be associated with the instance. By default the Network ACLs deny’s all inbound connections.
Pre-Requisite:
Before start the below implementation steps write all configuration which IP and which port in the inbound.
Avoid the login through the Root user.
You cannot delete the default network ACLs, but you can edit and modify them here so you can create security groups and create your own rules in them.
Remediation:
Test Plan:
Sign in to the AWS Management Console
Go to VPC console at https://console.aws.amazon.com/vpc/
In the navigation pane, choose Network ACLs under Security section
Select the Network ACLs you want to modify and click on Inbound Rules Tab
If you find All traffic is allowed from source 0.0.0.0/0
Then follow the remediation steps
Using AWS CLI:
aws ec2 describe-network-acls
Implementation Steps:
Sign in to the AWS Management Console
Go to VPC console at https://console.aws.amazon.com/vpc/
In the navigation pane, choose Network ACLs under Security section
Select the Network ACLs you want to modify and click on Inbound Rules Tab
Select the rule and click Edit Inbound Rules which is on the right side
Select the protocols, enter source to which the protocol should be allowed and select allow,
Once its done, click on Save rules.
Using AWS CLI:
aws ec2 replace-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 203.0.113.12/24 --rule-action allow
Backout Plan:
If you want to proceed with previous settings go through the Implementation steps section and set all previous policies. You can delete your new Network ACLs by following the steps:
Open the Amazon VPC console https://console.aws.amazon.com/vpc/
In the navigation pane, choose Network ACLs
Select one or more Network ACLs and choose Network ACLs Actions, Delete Network ACLs.
In the Delete Network ACLs dialogue box, choose Yes, Delete
Using AWS CLI:
aws ec2 delete-network-acl --network-acl-id acl-5fb85
Reference: