Profile Applicability:
Level : 2
Description:
This check ensures that no Network Access Control Lists (NACLs) in your AWS environment allow ingress (incoming) traffic from 0.0.0.0/0 (representing all IPv4 addresses) to port 22 (SSH). Allowing such traffic without restrictions could expose your resources to unauthorized access, making them vulnerable to attacks.
Rationale:
Allowing unrestricted ingress to port 22 (SSH) from any source IP address (0.0.0.0/0) poses significant security risks. SSH is commonly targeted by attackers attempting brute-force attacks or exploiting vulnerabilities. Restricting access to trusted IP addresses or ranges minimizes the risk of unauthorized access to sensitive resources.
Impact:
Security: Unauthorized access to EC2 instances and other resources exposed to the internet can result in data breaches, service disruptions, or system compromises.
Compliance: Failure to restrict high-risk ports may violate security standards and compliance requirements (e.g., PCI-DSS, HIPAA, SOC 2, etc.).
Service Downtime: An exposed security vulnerability could lead to service outages or security incidents that might affect the availability of your resources.
Default Value:
By default, NACLs deny all inbound traffic. However, custom NACLs or modifications to default NACLs might have rules that allow ingress from 0.0.0.0/0 to port 22.
Pre-Requisites:
AWS Management Console access or AWS CLI installed with appropriate permissions to describe and modify NACL rules.
Familiarity with security best practices and high-risk ports (e.g., port 22 for SSH).
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the VPC dashboard.
In the left-hand menu, under SECURITY, choose Network ACLs.
Select the NACL you want to examine.
Choose the Inbound Rules tab.
Review the Port Range and Source columns for any rules that allow ingress to port 22 from 0.0.0.0/0.
If such a rule exists, it should be modified or removed.
Using AWS CLI:
Run the following command to describe the NACLs:
aws ec2 describe-network-acls --query 'NetworkAcls[*].Entries[?PortRange.From==`22`].{RuleNumber:RuleNumber,Protocol:Protocol,CidrBlock:CidrBlock}'Review the output for any entries that allow ingress to port 22 from 0.0.0.0/0.
If such entries exist, they should be modified or removed.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the VPC dashboard.
In the left-hand menu, under SECURITY, choose Network ACLs.
Select the NACL you want to modify.
Choose the Inbound Rules tab.
Click Edit inbound rules.
Locate any rule that allows ingress from 0.0.0.0/0 to port 22.
Select the rule and click Delete.
Click Save changes.
Using AWS CLI:
Run the following command to revoke the ingress rule allowing access to port 22 from 0.0.0.0/0:
aws ec2 revoke-network-acl-ingress --network-acl-id <nacl-id> --rule-number <rule-number> --protocol tcp --port-range From=22,To=22 --cidr-block 0.0.0.0/0
Replace <nacl-id> with your NACL ID and <rule-number> with the rule number of the ingress rule to be revoked.
Backout Plan:
Using AWS Management Console:
Sign In:
Access the AWS Management Console.
Navigate to Network ACLs:
Go to VPC > Network ACLs.
Identify Modified NACLs:
Locate the NACL where ingress rules for port 22 were restricted.
Add a Rule for Unrestricted Ingress:
Edit the inbound rules and add a rule to allow unrestricted ingress for port 22:
Protocol: TCP
Port Range: 22
Source: 0.0.0.0/0
Rule Action: Allow
Confirm and Save Changes:
Apply the changes and ensure the rule is active.
Validate Functionality:
Test SSH connectivity to ensure access has been restored.
Using AWS CLI:
Identify the Network ACL:
Describe the NACLs and check for changes:
aws ec2 describe-network-acls
Add a Rule to Allow Unrestricted Ingress:
aws ec2 create-network-acl-entry \
--network-acl-id <network-acl-id> \
--rule-number <rule-number> \
--protocol tcp \
--port-range From=22,To=22 \
--cidr-block 0.0.0.0/0 \
--rule-action allow \
--ingressValidate the Changes:
Recheck the rules to confirm the new entry:
aws ec2 describe-network-acls