Profile Applicability
- Level 1
Description:
Network Access Control Lists (NACLs) in AWS are used to control traffic to and from resources within a VPC. By default, NACLs allow inbound and outbound traffic for all ports from any IP address (0.0.0.0/0). This unrestricted access can pose a serious security risk, especially for critical services like SSH (port 22) and RDP (port 3389), which are often targeted by malicious actors.
It is essential to ensure that NACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports, thereby securing access to these critical ports. Only trusted IP addresses or address ranges should be allowed access to such ports.
Rationale:
Blocking ingress from 0.0.0.0/0 to remote server administration ports provides the following benefits:
Security: Prevents unauthorized access to critical services like SSH and RDP from the public internet, which reduces the risk of brute-force and other types of attacks.
Compliance: Helps meet security best practices and regulatory requirements, which mandate that access to administration ports be strictly controlled.
Minimized attack surface: By restricting traffic to only trusted IP addresses or ranges, the attack surface is reduced, making it harder for attackers to exploit exposed ports.
Controlled access: Ensures that only trusted and authorized networks can interact with sensitive server administration interfaces.
Without restricting ingress from 0.0.0.0/0, critical server administration ports are exposed to the public internet, increasing the likelihood of attacks.
Impact:
Failure to block ingress from 0.0.0.0/0 to remote administration ports through NACLs can result in:
Unauthorized access: If remote administration ports are exposed to the internet, attackers can attempt unauthorized access.
Increased security risk: Unrestricted access increases the risk of successful brute-force attacks or exploitation of known vulnerabilities in SSH or RDP services.
Non-compliance: Violates security best practices and compliance standards that require restricting access to remote administration ports.
By ensuring that NACLs restrict all ingress from 0.0.0.0/0 to these ports, the security of the VPC is significantly improved.
Default Value:
By default, AWS NACLs allow all inbound and outbound traffic, including unrestricted access from 0.0.0.0/0 to remote administration ports. This default configuration should be modified to restrict ingress to trusted sources.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
ec2:DescribeNetworkAcls
ec2:RevokeNetworkAclIngress
ec2:AuthorizeNetworkAclIngress
NACLs should be configured to restrict access to sensitive server administration ports
Remediation:
Test Plan:
Using AWS Console:
Go to the VPC Console.
Navigate to Network ACLs and review the inbound rules.
Identify any NACLs that allow ingress from 0.0.0.0/0 to remote administration ports (e.g., port 22 for SSH or port 3389 for RDP).
Modify the NACL to restrict ingress from 0.0.0.0/0 and ensure that only trusted IP addresses can access these ports.
Using AWS CLI :
aws ec2 describe-network-acls --query "NetworkAcls[?Entries[?CidrBlock=='0.0.0.0/0']].NetworkAclId" --output tableTo check if any NACL allows ingress from 0.0.0.0/0 to remote server administration ports:
aws ec2 describe-network-acls --query "NetworkAcls[?Entries[?CidrBlock=='0.0.0.0/0' && RuleAction=='allow']].NetworkAclId" --output table
Implementation Plan:
Using AWS Console:
Modify the NACL to block ingress from 0.0.0.0/0:
Go to the VPC Console.
In the Network ACLs section, select the NACL associated with the VPC.
Modify the Inbound Rules to revoke any rules that allow ingress from 0.0.0.0/0 to ports like SSH (22) or RDP (3389).
Add restrictive rules that only allow traffic from trusted IP addresses.
Verify the changes:
After modifying the rules, ensure that the NACL no longer allows ingress from 0.0.0.0/0 to remote administration ports.
Using AWS CLI:
Revoke ingress from 0.0.0.0/0 on remote administration ports:
aws ec2 revoke-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 22 --cidr-block 0.0.0.0/0 aws ec2 revoke-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 3389 --cidr-block 0.0.0.0/0
Add more restrictive ingress rules:
aws ec2 authorize-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 22 --cidr-block <trusted-ip-range>/32 aws ec2 authorize-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 3389 --cidr-block <trusted-ip-range>/32
Verify the NACL configuration:
aws ec2 describe-network-acls --query "NetworkAcls[?Entries[?CidrBlock=='0.0.0.0/0']].NetworkAclId" --output table
Backout Plan:
Using AWS Console:
If modifying the NACL causes connectivity issues:
Go to the VPC Console.
Revert the changes to allow ingress from 0.0.0.0/0 to remote administration ports (SSH or RDP) temporarily if needed for troubleshooting.
Modify the rules to allow more restrictive access as necessary.
Revert security group settings to ensure only trusted IP addresses are allowed to connect to sensitive ports.
Using AWS CLI:
Revert ingress rules temporarily:
aws ec2 authorize-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 22 --cidr-block 0.0.0.0/0 aws ec2 authorize-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 3389 --cidr-block 0.0.0.0/0
Revert back to restrictive access rules once issues are resolved:
aws ec2 revoke-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 22 --cidr-block 0.0.0.0/0 aws ec2 revoke-network-acl-ingress --network-acl-id <network-acl-id> --rule-action allow --protocol tcp --port 3389 --cidr-block 0.0.0.0/0