Profile Applicability:
Level 1
Description:
The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. To minimize exposure, NACLs should not allow unrestricted ingress (0.0.0.0/0) to remote server administration ports, such as:
SSH (Port 22)
RDP (Port 3389)
Other remote administrative ports using:
TCP (Protocol 6)
UDP (Protocol 17)
ALL (-1) protocols
Rationale:
Allowing unrestricted public access to administrative ports (such as SSH on port 22 and RDP on port 3389) significantly increases the attack surface, leading to:
Increased risk of brute force attacks.
Higher chance of unauthorized access.
Potential for resource compromise and data breaches.
Exploitation by automated bots scanning for open ports.
By limiting access to specific trusted IP ranges, organizations can reduce security risks and improve compliance.
Impact:
Failure to restrict NACL rules can lead to unauthorized access attempts from external attackers.
Open administrative ports allow brute-force attacks, malware infiltration, and privilege escalation.
Non-compliance with security policies such as SOC 2, PCI DSS, and CIS Benchmark standards.
Default Value:
By default, AWS does not create explicit allow rules in NACLs.
New VPCs have default deny-all rules for inbound and outbound traffic.
Administrators must manually configure NACL rules for inbound access.
Pre-Requisites:
AWS CLI Installed (for command-line verification and remediation).
IAM Permissions Required:
ec2:DescribeNetworkAcls (for auditing).
ec2:DeleteNetworkAclEntry (for remediation).
ec2:ReplaceNetworkAclEntry (for updating rules).
Access to AWS Management Console with permissions to modify NACL rules.
Security Group Reviews Completed (Security Groups should also block unrestricted access).
Remediation:
Test Plan:
Using AWS Console
Login to the AWS VPC Console: AWS VPC Console.
In the left pane, click Network ACLs.
For each Network ACL, perform the following steps:
Select the Network ACL.
Click the Inbound Rules tab.
Ensure no rules exist that:
Have a port range including 22 (SSH) or 3389 (RDP).
Use protocols TCP (6), UDP (17), or ALL (-1).
Have Source 0.0.0.0/0.
Show ALLOW.
Implementation Steps:
Using AWS Console
Login to the AWS VPC Console: AWS VPC Console.
In the left pane, click Network ACLs.
For each non-compliant ACL, follow these steps:
Select the Network ACL.
Click the Inbound Rules tab.
Click Edit inbound rules.
Update the Source field to a more restricted IP range (e.g., corporate VPN range).
Alternatively, remove the offending rule by clicking Remove.
Click Save.
Backout Plan:
If legitimate users are blocked:
Re-add ACL rules to allow necessary access:
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number <rule-number> --protocol 6 --port-range From=22,To=22 --cidr-block <trusted-ip-range> --rule-action allow --egress false
Validate access using SSH or RDP.
Update security groups if alternative remote access methods are available.