Ensure No Network ACLs Allow Ingress Rule
This rule ensures no Network ACLs allows ingress from 0.0.0.0/0 to server administration ports.
| Rule | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports |
| Framework | cis_v140 |
| Severity | ✔ Critical |
Ensure No Network ACLs Allow Ingress From 0.0.0.0/0 to Remote Server Administration Ports
Network Access Control Lists (ACLs) are an essential layer of security within an AWS environment that act as a firewall for controlling traffic in and out of one or more subnets. To maintain a strong security posture, it is considered a best practice to restrict unsolicited ingress traffic from the open internet (0.0.0.0/0) to remote server administration ports.
Description of the Rule
The specific rule aims to prevent unrestricted access to ports that are commonly used for remote server administration, such as SSH (port 22) for Linux servers and RDP (port 3389) for Windows servers. Allowing unrestricted access to these ports can expose the infrastructure to potential brute-force attacks or exploits.
Troubleshooting Steps and Remediation
If you have a Network ACL that violates this rule, here are the steps to identify and remediate the issue:
Step 1: Identify Ingress Rules with 0.0.0.0/0 Access to Admin Ports
Use the AWS Management Console, AWS CLI, or AWS SDK to list all Network ACLs and their rules. For AWS CLI, you can use the following command:
aws ec2 describe-network-acls --query 'NetworkAcls[*].{ID:NetworkAclId,Entries:Entries[*].{Rule:RuleNumber,CIDR:CidrBlock,Protocol:Protocol,PortRange:PortRange,RuleAction:Egress}}'
Evaluate the output to find any ingress rule with a
CidrBlock0.0.0.0/0PortRangeStep 2: Modify or Delete Ingress Rules
Upon identifying the problematic rules, you can either modify them to restrict access or remove them entirely.
To modify an existing rule:
aws ec2 replace-network-acl-entry --network-acl-id <acl-id> --ingress --rule-number <rule-number> --protocol tcp --port-range From=<admin-port>,To=<admin-port> --cidr-block <your-ip>/32 --rule-action allow
Replace
<acl-id><rule-number><admin-port><your-ip>/32To delete an existing rule:
aws ec2 delete-network-acl-entry --network-acl-id <acl-id> --ingress --rule-number <rule-number>
Replace
<acl-id><rule-number>Step 3: Repeat for Other ACLs and Subnets
Ensure that this process is repeated for each Network ACL in your AWS environment that may be associated with different subnets.
Step-by-Step Guide for Remediation
- 1.Log in to the AWS Management Console: Access the VPC Dashboard and navigate to Network ACLs.
- 2.Select Each Network ACL: Review the rules associated with each ACL.
- 3.Identify Unrestricted Ingress Rules: Look for ingress rules with
as the source.0.0.0.0/0 - 4.Modify or Remove Inappropriate Rules: Use either the AWS Management Console or AWS CLI to update or delete these rules.
- 5.Validate the Changes: Ensure that the modifications made to the ACLs are in effect and no undesired traffic is allowed.
- 6.Regular Auditing: Regularly audit Network ACL rules and revise as necessary to adapt to changing security requirements.
SEO Considerations
In creating content that is SEO friendly, ensure that the content created here is easily discoverable with key phrases such as:
- "AWS Network ACL best practices"
- "Secure AWS administration ports"
- "AWS Network ACL ingress rule configuration"
- "Preventing AWS SSH/RDP open access"
- "Configure Network ACLs for secure server access"
By focusing on relevant keywords and providing clear, structured, and actionable content, this guide not only adds value to those seeking advice on this specific rule but also helps this content become more accessible and more likely to be ranked higher in search engine results.
Additionally, it is crucial to keep the content up-to-date with the latest AWS features and best practices, as this ensures that the guide continues to be a go-to resource, further solidifying its SEO ranking.