Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Ineffective Network ACL DENY Rules

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VPC-015

Ensure that your Amazon VPC Network Access Control Lists (NACLs) don't have ineffective, partially ineffective or misconfigured DENY rules. A Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), which allows you to set network rules to ALLOW or DENY access to specific ports or IP ranges. The order of the DENY rules within your Network ACLs is crucial. Traffic through a NACL is evaluated in order of rule number from low to high; when traffic matches a NACL rule, the ALLOW or DENY is applied immediately. By default, NACLs deny all traffic via the default DENY all traffic rule, which is evaluated last in the rule order. It is considered best practice to minimize the number of NACL rules to achieve the effective result.

It is recommended to:

  1. Define the minimum number of ALLOW rules required to achieve the desired effective result, to ensure only the specific intended traffic is allowed.
  2. Avoid overlapping definitions of ALLOW rules, to avoid risk of redundancy or confusion.
  3. Avoid using too many or overlapping DENY rules, to avoid risk of redundancy, ineffectiveness or confusion.
  4. Position any DENY rules for specific limited parameters at a relatively high priority to ensure effectiveness, and use sparingly to avoid confusion.
  5. For all other traffic, leverage the deafult NACL DENY all traffic rule to ensure any remaining traffic that is not expressly identified is denied.
A NACL DENY rule may be considered ineffective, partially ineffective or misconfigured in the some of the following scenarios:
  1. The DENY rule traffic parameters such as protocol, port and source IP exactly match an ALLOW rule positioned at a lower rule number. This DENY rule would be fully ineffective and redundant.
  2. The DENY rule protocol and port match a higher priority ALLOW rule, and the DENY rule source IP range is a subset of the ALLOW rule source IP range. This DENY rule would be fully ineffective and redundant.
  3. A lower priority DENY rule has overlapping port definitions with a higher priority ALLOW rule, and the source IP ranges exactly match. This DENY rule would be considered partially ineffective, and redundant because any undefined traffic should be denied by the default rule.
  4. A lower priority DENY rule has overlapping port definitions with a higher priority ALLOW rule, and the source IP range of the DENY rule is a subset of the ALLOW rule's source IP range. This DENY rule would be considered partially ineffective, and redundant because any reamining traffic should be denied by the default rule.
In addition, it is generally recommended to avoid the following scenarios, although less strictly:
  1. A DENY rule matches the port definition of a higher priority ALLOW, and the DENY rule source IP range is a superset of the ALLOW rule source IP range. This could be considered partially ineffective and redundant, because the DENY could be handled by the default DENY rule. The DENY statement is partially effective, but the effect could be achieved more efficiently with fewer rules, and by leveraging the default DENY all rule.
  2. A DENY rule has an overlapping port definition with a higher priority ALLOW, and the DENY rule source IP range is a superset of the ALLOW rule source IP range. This is similar to the previous point, but with some overlapping ports. The DENY statement is partially effective, but the effect could be achieved more efficiently with fewer rules, and by leveraging the default DENY all rule.
In order to be effective, ensure that any DENY rules designed to restrict traffic via certain ports, IP ranges, or protocols are placed at a higher priority (lower rule number) than the related ALLOW rules, and are used sparingly.

This rule resolution is part of the Conformity solution.

Security

To regulate the traffic to and from your Amazon VPC network, use fully effective DENY rules for your Network Access Control Lists (NACLs). Fully effective DENY rules will add an additional layer of security, protect against malicious activities such as hacking, brute-force attacks, and Denial of Service (DoS) attacks, and help minimise the risk of the configuration errors in your NACL rule order.


Audit

To determine if your Network ACLs (NACLs) have ineffective, partially ineffective or misconfigured DENY rules, perform the following actions:

Note: Each NACL includes a rule whose rule number is an asterisk (also known as default DENY rule). This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule. This default DENY rule is ignored during the Audit process. It is recommended for best practice to leverage the default DENY rule in your NACL configuration and avoid unnecessary wide ranging DENY rules set at a low prioity (high rule number).

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Choose the Inbound rules tab from the console bottom panel and check for the DENY rules within the selected Network ACL. Review the traffic configuration for any DENY rules, i.e. the Type, the Port range, and the Source, and compare these to any higher priority (lower number) ALLOW rules. If a DENY rule has matching or overlapping protocol and ports with a higher priority ALLOW rule, and has a source IP range that matches or is a subset of the ALLOW rule source IP range, the inbound DENY rule is considered ineffective or partially ineffective and is redundant.

06 Choose the Outbound rules tab from the console bottom panel and check for the DENY rules within the selected Network ACL. Review the traffic configuration for any DENY rules, i.e. the Type, the Port range, and the Destination, and compare these to any higher priority (lower number) ALLOW rules. If a DENY rule has matching or overlapping protocol and ports with a higher priority ALLOW rule, and has a destination IP range that matches or is a subset of the ALLOW rule destination IP range, the outbound DENY rule is considered ineffective or partially ineffective and is redundant.

07 Repeat steps no. 4 – 6 for other Network ACLs available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested NACL IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list the inbound rules defined for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(Egress==`false`)]'

04 The command output should return the configuration information requested:

[
	[
		{
			"RuleNumber": 100,
			"Protocol": "6",
			"PortRange": {
				"To": 22,
				"From": 22
			},
			"Egress": false,
			"RuleAction": "allow",
			"CidrBlock": "0.0.0.0/0"
		},
		{
			"RuleNumber": 200,
			"Protocol": "6",
			"PortRange": {
				"To": 3389,
				"From": 3389
			},
			"Egress": false,
			"RuleAction": "allow",
			"CidrBlock": "0.0.0.0/0"
		},
		{
			"RuleNumber": 300,
			"Protocol": "6",
			"PortRange": {
				"To": 22,
				"From": 22
			},
			"Egress": false,
			"RuleAction": "deny",
			"CidrBlock": "0.0.0.0/0"
		}
	]
]

Each JSON object returned by the describe-network-acls command output, separated by a comma, represents an inbound rule. Check and review the traffic configuration for inbound DENY rules, i.e. the "Protocol", the "PortRange", and the "CidrBlock", and compare these to any higher priority (lower number) ALLOW rules. If a DENY rule has matching or overlapping protocol and ports with a higher priority ALLOW rule, and has a source IP range that matches or is a subset of the ALLOW rule source IP range, the inbound DENY rule is considered ineffective or partially ineffective and is redundant.

05 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom query filters to list the outbound rules configured for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(Egress==`true`)]'

06 The command output should return the configuration information requested:

[
	[
		{
			"RuleNumber": 100,
			"Protocol": "6",
			"PortRange": {
				"To": 22,
				"From": 22
			},
			"Egress": true,
			"RuleAction": "allow",
			"CidrBlock": "0.0.0.0/0"
		},
		{
			"RuleNumber": 110,
			"Protocol": "6",
			"PortRange": {
				"To": 443,
				"From": 443
			},
			"Egress": true,
			"RuleAction": "allow",
			"CidrBlock": "0.0.0.0/0"
		},
		{
			"RuleNumber": 120,
			"Protocol": "6",
			"PortRange": {
				"To": 22,
				"From": 22
			},
			"Egress": true,
			"RuleAction": "deny",
			"CidrBlock": "0.0.0.0/0"
		}
	]
]

Check the list of outbound rules returned by the describe-network-acls command. Review the traffic configuration for outbound DENY rules, i.e. the "Protocol", the "PortRange", and the "CidrBlock", and compare these to any higher priority (lower number) ALLOW rules. If a DENY rule has matching or overlapping protocol and ports with a higher priority ALLOW rule, and has a destinatioh IP range that matches or is a subset of the ALLOW rule source IP range, the outbound DENY rule is considered ineffective or partially ineffective and is redundant.

07 Repeat steps no. 3 – 6 for other Network ACLs available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Note: To remediate NACL rules, ensure you consider the intention of the rules. The below steps provide a simple example, however the exact steps to remediate will depend on your environment. The best practice is to use the minimal necessary rules to define the intended effect of the NACL, and to make use of the default DENY all traffic rule.

To be effective, ensure that the DENY rules designed to restrict traffic are placed at a higher priority (i.e. lower rule number) than the related ALLOW rules. To reconfigure ineffective inbound and outbound DENY rules in order to block certain traffic at the subnet level, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Reconfigure Ineffective Inbound/Outbound DENY Rules by Setting a Higher Priority (Rule Number)",
	"Resources": {
		"AWSVPCNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": true,
				"EnableDnsSupport": true,
				"InstanceTenancy": "default"
			}
		},
		"VPCNetworkACL": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {
					"Ref": "AWSVPCNetwork"
				}
			}
		},
		"SSHTrafficInboundRule": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {
					"Ref": "VPCNetworkACL"
				},
				"RuleNumber": 50,
				"Protocol": 6,
				"RuleAction": "deny",
				"CidrBlock": "0.0.0.0/0",
				"PortRange": {
					"From": 22,
					"To": 22
				}
			}
		},
		"SSHTrafficOutboundRule": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {
					"Ref": "VPCNetworkACL"
				},
				"RuleNumber": 90,
				"Protocol": 6,
				"RuleAction": "deny",
				"CidrBlock": "0.0.0.0/0",
				"Egress": true,
				"PortRange": {
					"From": 22,
					"To": 22
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Reconfigure Ineffective Inbound/Outbound DENY Rules by Setting a Higher Priority (Rule Number)
	Resources:
		AWSVPCNetwork:
		Type: AWS::EC2::VPC
		Properties:
			CidrBlock: 10.0.0.0/16
			EnableDnsHostnames: true
			EnableDnsSupport: true
			InstanceTenancy: default
		VPCNetworkACL:
		Type: AWS::EC2::NetworkAcl
		Properties:
			VpcId: !Ref 'AWSVPCNetwork'
		SSHTrafficInboundRule:
		Type: AWS::EC2::NetworkAclEntry
		Properties:
			NetworkAclId: !Ref 'VPCNetworkACL'
			RuleNumber: 50
			Protocol: 6
			RuleAction: deny
			CidrBlock: '0.0.0.0/0'
			PortRange:
			From: 22
			To: 22
		SSHTrafficOutboundRule:
		Type: AWS::EC2::NetworkAclEntry
		Properties:
			NetworkAclId: !Ref 'VPCNetworkACL'
			RuleNumber: 90
			Protocol: 6
			RuleAction: deny
			CidrBlock: '0.0.0.0/0'
			Egress: true
			PortRange:
			From: 22
			To: 22

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
	cidr_block = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support = true
	instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
	vpc_id = aws_vpc.aws-vpc-network.id
}

# Reconfigure Ineffective Inbound DENY Rules by Setting a Higher Priority (Rule Number)
resource "aws_network_acl_rule" "https-traffic-inbound-rule" {
	network_acl_id = aws_network_acl.vpc-network-acl.id
	rule_number    = 50
	egress         = false
	protocol       = "tcp"
	rule_action    = "deny"
	cidr_block     = "0.0.0.0/0"
	from_port      = 22
	to_port        = 22
}

# Reconfigure Ineffective Outbound DENY Rules by Setting a Higher Priority (Rule Number)
resource "aws_network_acl_rule" "rdp-access-inbound-rule" {
	network_acl_id = aws_network_acl.vpc-network-acl.id
	rule_number    = 90
	egress         = true
	protocol       = "tcp"
	rule_action    = "deny"
	cidr_block     = "0.0.0.0/0"
	from_port      = 22
	to_port        = 22
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules page, choose the ineffective DENY rule and change the number available in the Rule number box with a number lower than the rule number of the associated ALLOW rule. This will place the reconfigured DENY rule to a higher priority and enable the selected Network ACL (NACL) to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters. Choose Save changes to apply the changes.

07 Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.

08 On the Edit outbound rules page, choose the ineffective DENY rule and change the number available in the Rule number box with a number that is lower than the rule number of the associated ALLOW rule. This will place the reconfigured DENY rule earlier in the table (i.e. higher priority) and enable the selected Network ACL (NACL) to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters. Choose Save changes to apply the changes.

09 Repeat steps no. 4 – 8 for other Network ACLs (NACLs) that you want to reconfigure available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 For inbound DENY rules:

  1. Run delete-network-acl-entry command (OSX/Linux/UNIX) to remove the ineffective DENY rule from the selected Network ACL (NACL). The following command example deletes an ineffective inbound DENY rule identified by the rule number 300 (the command does not produce an output):
    aws ec2 delete-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --ingress
      --rule-number 300
    
  2. Run create-network-acl-entry command (OSX/Linux/UNIX) to re-create the DENY rule deleted at the previous step with a higher priority than the associated ALLOW rule. The following command example creates a new inbound DENY rule with the rule number set to 50. This will place the DENY rule to a higher priority than the associated rule and enable the selected NACL to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters (if successful, the command does not produce an output):
    aws ec2 create-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --ingress
      --rule-number 50
      --protocol tcp
      --port-range From=22,To=22
      --cidr-block 0.0.0.0/0
      --rule-action deny
    

02 For outbound DENY rules:

  1. Run delete-network-acl-entry command (OSX/Linux/UNIX) to remove the ineffective DENY rule from the selected Network ACL (NACL). The following command example deletes an ineffective inbound DENY rule identified by the rule number 120 (the command does not produce an output):
    aws ec2 delete-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --egress
      --rule-number 120
    
  2. Run create-network-acl-entrycommand (OSX/Linux/UNIX) to re-create the DENY rule deleted at the previous step with a higher priority than the associated ALLOW rule. The following command example creates an outbound DENY rule with the rule number set to 90. This will place the DENY rule to a higher priority than the associated rule and enable the Network ACL to re-evaluate the list of rules in order to restrict the traffic specified by the rule parameters (the command does not produce an output):
    aws ec2 create-network-acl-entry
      --region us-east-1
      --network-acl-id acl-abcd1234
      --egress
      --rule-number 90
      --protocol tcp
      --port-range From=22,To=22
      --cidr-block 0.0.0.0/0
      --rule-action deny
    

03 Repeat steps no. 1 and 2 for other Network ACLs (NACLs) that you want to reconfigure available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date May 2, 2017