Profile Applicability: 

Level 1

Description:

This check ensures that no Network ACLs (NACLs) in your VPC allow inbound traffic from the internet (0.0.0.0/0) to any port. Allowing unrestricted ingress traffic poses significant security risks.

Rationale:

Restricting ingress traffic from the internet enhances security by preventing unauthorized access to your VPC resources. Network ACLs should be configured to allow only necessary and trusted traffic.

Impact:

  • Positive Impact: Improved security by preventing unauthorized access and reducing the attack surface.

  • Negative Impact: Potential disruption for services or applications that rely on public access. Alternatives for secure access must be implemented.

Default Value:

By default, Network ACLs do not allow inbound traffic from the internet. However, explicit rules may have been added.

Pre-Requisite:

  • IAM Permissions: Ensure necessary permissions to view and modify Network ACL rules.

  • AWS Services: VPC, Network ACLs

  • Tools Required: AWS Management Console, AWS CLI

Remediation:

Test plan:

Using AWS Console:

  1. Sign In: Log in to the AWS Management Console.

  2. Navigate to VPC: Go to the VPC console.

       

  1. In the left navigation pane, choose Network ACLs.

           

  1. For each Network ACL, review the ingress rules to identify any that allow traffic from 0.0.0.0/0

     

  1. Select the Network ACL and click Edit inbound rules.

     

  1. Remove any rule that allows ingress from 0.0.0.0/0

     

  1. Click Save to apply the changes.

       

Using AWS CLI:

  1. List Network ACLs: Retrieve all Network ACLs and their entries:

aws ec2 describe-network-acls --query "NetworkAcls[*].{ID:NetworkAclId,Entries:Entries}" --output json > /tmp/network-acls.json

  1. Identify Entries with Ingress from 0.0.0.0/0: Filter for Network ACL entries allowing ingress from 0.0.0.0/0

    1. jq '.[] | select(.Entries[]? | select(.RuleAction == "allow" and .CidrBlock == "0.0.0.0/0" and .Egress == false))' /tmp/network-acls.json > /tmp/insecure-nacls.json

  2. Remove Ingress Rule: For each identified Network ACL, remove the rule allowing ingress from 0.0.0.0/0

NETWORK_ACL_IDS=$(jq -r '.[].ID' /tmp/insecure-nacls.json)
for ACL_ID in $NETWORK_ACL_IDS; do
    ENTRIES=$(jq -r --arg ID "$ACL_ID" '.[] | select(.ID == $ID) | .Entries[].RuleNumber' /tmp/insecure-nacls.json)
    for ENTRY in $ENTRIES; do
        aws ec2 delete-network-acl-entry --network-acl-id $ACL_ID --rule-number $ENTRY --ingress
    done
done

Implementation:

Using AWS Console:

  1. Log in to the AWS Management Console

  2. Go to the VPC console by selecting "Services" and then choosing "VPC" from the dropdown menu.

     

  1. Select Network ACLs: In the left navigation pane, choose Network ACLs.

         

  1. Review Ingress Rules: For each Network ACL, review the ingress rules to identify any that allow traffic from 0.0.0.0/0.

    

  1. Edit Ingress Rules: Select the Network ACL and click Edit inbound rules.

     

  1. Remove Ingress Rule: Remove any rule that allows ingress from 0.0.0.0/0.

        

  1. Save Changes: Click Save to apply the changes.

       


Backout Plan:

  • Revert Ingress Rules:

    • If issues arise after removing the ingress rules, re-add the rules allowing ingress from trusted IP ranges only.

  • Restore Configuration:

 Use saved Network ACL configurations to reapply previous settings if needed:

aws ec2 create-network-acl-entry --network-acl-id <NetworkAclId> --rule-number <RuleNumber> --protocol <Protocol> --rule-action allow --egress false --cidr-block <TrustedIpRange> --port-range From=<PortRangeFrom>,To=<PortRangeTo>

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

3.4

Ensure the use of secure network configurations for all endpoints.

v8

4.3

Limit the attack surface by minimizing the number of open network ports.