Profile Applicability:

Level 1

Description:

The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. To minimize exposure, NACLs should not allow unrestricted ingress (0.0.0.0/0) to remote server administration ports, such as:

  • SSH (Port 22)

  • RDP (Port 3389)

  • Other remote administrative ports using:

    • TCP (Protocol 6)

    • UDP (Protocol 17)

    • ALL (-1) protocols

Rationale:

Allowing unrestricted public access to administrative ports (such as SSH on port 22 and RDP on port 3389) significantly increases the attack surface, leading to:

  • Increased risk of brute force attacks.

  • Higher chance of unauthorized access.

  • Potential for resource compromise and data breaches.

  • Exploitation by automated bots scanning for open ports.

By limiting access to specific trusted IP ranges, organizations can reduce security risks and improve compliance.

Impact:

  • Failure to restrict NACL rules can lead to unauthorized access attempts from external attackers.

  • Open administrative ports allow brute-force attacks, malware infiltration, and privilege escalation.

  • Non-compliance with security policies such as SOC 2, PCI DSS, and CIS Benchmark standards.

Default Value:

By default, AWS does not create explicit allow rules in NACLs.

  • New VPCs have default deny-all rules for inbound and outbound traffic.

  • Administrators must manually configure NACL rules for inbound access.

Pre-Requisites:

  1. AWS CLI Installed (for command-line verification and remediation).

  2. IAM Permissions Required:

    • ec2:DescribeNetworkAcls (for auditing).

    • ec2:DeleteNetworkAclEntry (for remediation).

    • ec2:ReplaceNetworkAclEntry (for updating rules).

  3. Access to AWS Management Console with permissions to modify NACL rules.

  4. Security Group Reviews Completed (Security Groups should also block unrestricted access).

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS VPC Console: AWS VPC Console.

  2. In the left pane, click Network ACLs.

  3. For each Network ACL, perform the following steps:

    • Select the Network ACL.

    • Click the Inbound Rules tab.

    • Ensure no rules exist that:

      • Have a port range including 22 (SSH) or 3389 (RDP).

      • Use protocols TCP (6), UDP (17), or ALL (-1).

      • Have Source 0.0.0.0/0.

      • Show ALLOW.

Implementation Steps:
Using AWS Console

  1. Login to the AWS VPC Console: AWS VPC Console.


  2. In the left pane, click Network ACLs.


  3. For each non-compliant ACL, follow these steps:

    • Select the Network ACL.

    • Click the Inbound Rules tab.

    • Click Edit inbound rules.



    • Update the Source field to a more restricted IP range (e.g., corporate VPN range).


    • Alternatively, remove the offending rule by clicking Remove.

    • Click Save.

Backout Plan:

If legitimate users are blocked:

  1. Re-add ACL rules to allow necessary access:

    aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number <rule-number> --protocol 6 --port-range From=22,To=22 --cidr-block <trusted-ip-range> --rule-action allow --egress false

  2. Validate access using SSH or RDP.

  3. Update security groups if alternative remote access methods are available.

References:


CIS Controls Mapping

CIS Control Version

Control ID

Control Description

CIS v7

9.2

Ensure Only Approved Ports, Protocols, and Services Are Running

CIS v7

12.4

Deny Communication over Unauthorized Ports