iCompaas Support

Profile Applicability

• Level 1

Description:

Network Access Control Lists (NACLs) are used in AWS VPCs to provide an additional layer of security by controlling inbound and outbound traffic at the subnet level. Changes to NACLs, such as modifications to rules, addition of new rules, or deletion of rules, can impact the security posture of the entire VPC and the resources within it.

Monitoring NACL changes is essential for detecting unauthorized or unintended modifications to traffic rules that could potentially expose resources to malicious traffic. By enabling monitoring for NACL changes using AWS CloudTrail, you can track all modifications and ensure that the security configurations of your VPC remain consistent with your security policies.

Rationale:

Monitoring changes to NACLs provides the following benefits:

• Security: Helps detect unauthorized or accidental changes to NACLs that could expose VPC subnets to unwanted traffic.
  

• Compliance: Meets security best practices and regulatory requirements for tracking changes to network security configurations.
  

• Auditability: Provides a full audit trail of changes made to NACLs, helping ensure accountability for network security modifications.
  

• Proactive management: Enables early detection of misconfigurations or unauthorized changes to NACLs before they can be exploited.
  

Without monitoring, unauthorized or accidental NACL changes may go undetected, leading to security vulnerabilities or network disruptions.

Impact:

Failure to monitor NACL changes can result in:

• Unauthorized access: Malicious or unauthorized modifications to NACLs may allow unwanted traffic to reach critical resources.
  

• Network misconfigurations: Changes to NACL rules could inadvertently block legitimate traffic or allow dangerous traffic to enter your network.
  

• Non-compliance: Violates security standards and compliance regulations requiring tracking and monitoring of network access controls.
  

• Increased attack surface: Changes that are not tracked could expose your environment to network-based attacks or misconfigurations.
  

By ensuring that NACL changes are monitored, you can maintain tighter control over network traffic and prevent security breaches.

Default Value:

By default, AWS does not automatically monitor changes to NACLs unless CloudTrail is explicitly configured to log these events. Organizations must enable CloudTrail and configure event logging to capture NACL modifications.

Pre-Requisites:

• AWS CLI installed and configured
  

• IAM permissions:
  

  • cloudtrail:CreateTrail
    

  • cloudtrail:DescribeTrails
    

  • cloudtrail:PutEventSelectors
    

  • cloudtrail:StartLogging
    

• AWS CloudTrail should be enabled to capture NACL changes in your environment
  

Remediation:

Test Plan:

Using AWS Console:

1. Go to the AWS CloudTrail Console.
   

2. Verify that CloudTrail is enabled and configured to log changes to Network Access Control Lists.
   

3. Review the Event History in CloudTrail for any recorded changes to NACLs, such as CreateNetworkAcl, ModifyNetworkAcl, DeleteNetworkAcl, etc.
   

Using AWS CLI:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>']" --output table

To ensure that CloudTrail is capturing NACL-related events:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

Implementation Plan:

Using AWS Console:

1. Enable CloudTrail to log NACL changes:
   

   • Go to the CloudTrail Console.
     

   • Create a new trail or modify an existing trail to ensure Management Events are enabled for logging.
     

   • Enable Global service events to ensure that NACL changes, such as rule modifications, are captured across all AWS regions.
     

2. Verify that NACL changes are being captured:
   

   • After enabling the trail, check the Event history in CloudTrail for NACL changes, including events like CreateNetworkAcl, DeleteNetworkAcl, or ModifyNetworkAcl.
     

Using AWS CLI:

1. Enable CloudTrail for logging NACL changes:
   

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events

2. Verify event selectors for NACL-related activities:
   

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table

3. Check CloudTrail for NACL events:
   

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=ec2.amazonaws.com --query "Events[?EventName=='CreateNetworkAcl' || EventName=='ModifyNetworkAcl' || EventName=='DeleteNetworkAcl']" --output table

Backout Plan:

Using AWS Console:

1. If enabling CloudTrail causes performance or logging issues:
   

   • Go to the CloudTrail Console.
     

   • Disable the trail temporarily or modify the logging configuration to reduce the scope of events being tracked if necessary.
     

2. Review CloudTrail configuration to ensure it is optimized for performance while still capturing necessary NACL changes.
   

Using AWS CLI:

1. Stop CloudTrail logging temporarily if issues arise:
   

aws cloudtrail stop-logging --name <trail-name>

2. Re-enable CloudTrail logging once the issue is resolved:
   

aws cloudtrail start-logging --name <trail-name>

References:

• AWS CloudTrail Documentation
  

• AWS CLI Command Reference for CloudTrail
  

• AWS Security Best Practices
  

CIS Controls Mapping: