Rule: VPC Network Access Control Lists Associated with Subnet
This rule states that VPC network access control lists (network ACLs) should be associated with a subnet.
| Rule | VPC network access control lists (network ACLs) should be associated with a subnet. |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
VPC Network Access Control Lists (ACLs) for CISA-Cyber Essentials
Rule Description
This rule states that for CISA-Cyber Essentials compliance, VPC Network Access Control Lists (ACLs) must be associated with a subnet. ACLs are used to control inbound and outbound traffic at the subnet level within Amazon Virtual Private Cloud (VPC) environments. By associating ACLs with subnets, organizations can enforce specific networking rules and restrict network access based on defined policies.
Potential Troubleshooting Steps
- 1.Ensure that a suitable VPC exists within the account.
- 2.Verify if any subnets are available within the VPC.
- 3.Check if any ACLs are currently associated with the subnets.
- 4.Review the permissions and rules defined within the ACLs to confirm compliance with the CISA-Cyber Essentials requirements.
Necessary Codes
Although there are no specific codes to provide for this rule, the following are examples of how ACLs can be associated with a subnet using AWS Command Line Interface (CLI) commands:
To list all available subnets within a VPC:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=<VPC_ID>"
To associate an ACL with a subnet:
aws ec2 replace-network-acl-association --association-id <ASSOCIATION_ID> --network-acl-id <ACL_ID>
Step-by-Step Guide for Remediation
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon VPC service.
- 3.Ensure that you have the necessary permissions to modify VPC and subnet configurations.
- 4.Identify the target VPC associated with the subnet that requires ACL association.
- 5.From the VPC dashboard, go to the "Subnets" section.
- 6.In the list of subnets, find the subnet that requires ACL association and note its ID.
- 7.Identify the appropriate ACL that needs to be associated with the subnet.
- 8.Go to the "Network ACLs" section.
- 9.In the list of ACLs, select the ACL that needs to be associated with the subnet.
- 10.Note the ACL ID.
- 11.Go back to the "Subnets" section and select the desired subnet.
- 12.In the "Actions" dropdown, choose "Edit outbound rules" or "Edit inbound rules" based on the requirements.
- 13.Add appropriate rules to allow desired traffic based on CISA-Cyber Essentials guidelines.
- 14.Click "Save" to apply the changes.
- 15.Use the AWS CLI commands mentioned above to ensure the ACL is correctly associated with the subnet.
- 16.Validate that the ACL is now associated with the intended subnet by checking the associated ACL ID using the CLI command:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=<VPC_ID>"
By following these steps, you will be able to associate the required VPC Network ACL with the chosen subnet, ensuring compliance with the CISA-Cyber Essentials policy.