This rule ensures that Network ACLs do not permit traffic from 0.0.0.0/0 to specific ports.
Rule | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
Rule Description
This rule ensures that the Network Access Control Lists (ACLs) in an AWS environment do not permit incoming traffic from any source IP address (0.0.0.0/0) to port 22 (SSH) or port 3389 (RDP). This is a best practice recommended by AWS for enhanced security and mitigating the risk of unauthorized access to sensitive resources.
Troubleshooting Steps
If your Network ACLs allow inbound traffic from 0.0.0.0/0 to port 22 or port 3389, it can pose a potential security risk as it allows unrestricted access to SSH and RDP services. Troubleshooting steps to address this issue are as follows:
Identify affected Network ACL:
Identify associated subnets:
Review Network ACL rules:
Update Network ACL rules:
Necessary Codes (if applicable)
In order to modify the Network ACL rules, you need to use AWS Command Line Interface (CLI) or AWS SDKs. Here is an example of how you can update the Network ACL rules using AWS CLI:
$ aws ec2 replace-network-acl-entry --network-acl-id <network-acl-id> --ingress --rule-number <rule-number> --protocol <protocol> --port-range FromPort=<from-port>,ToPort=<to-port> --source-cidr-block 0.0.0.0/0 --rule-action deny
Please replace the placeholders with the actual values:
<network-acl-id>
: ID of the Network ACL you want to modify.<rule-number>
: The rule number of the specific ingress rule to be updated. This can be obtained from the AWS Management Console.<protocol>
: The protocol you want to restrict (e.g., tcp).<from-port>
: The starting port number for the rule.<to-port>
: The ending port number for the rule.Execute the above command for each rule that allows ingress from 0.0.0.0/0 to either port 22 or port 3389.
Remediation Steps
Follow the steps below to remediate the issue and meet the AWS best practice:
Log in to the AWS Management Console.
Go to the Amazon VPC service.
Identify the Network ACL that needs modification.
Review the inbound rules for the Network ACL.
Remove any rules that permit ingress from 0.0.0.0/0 to port 22 or port 3389.
Save the changes.
Verify the Network ACL changes by testing connectivity to port 22 and port 3389 from outside the allowed IP ranges.
If necessary, update the rules to allow access to these ports from specific trusted IP ranges.
Regularly review and update Network ACLs to ensure ongoing security compliance.
Note: It is essential to consider the impact of modifying Network ACL rules on your environment and ensure that valid and secure access is maintained while restricting unauthorized access.