Ensure that your Amazon VPC Network Access Control Lists (NACLs) don't have ineffective, partially ineffective or misconfigured DENY rules. A Network ACL is an additional layer of defense for your Virtual Private Cloud (VPC), which allows you to set network rules to ALLOW or DENY access to specific ports or IP ranges. The order of the DENY rules within your Network ACLs is crucial. Traffic through a NACL is evaluated in order of rule number from low to high; when traffic matches a NACL rule, the ALLOW or DENY is applied immediately. By default, NACLs deny all traffic via the default DENY all traffic rule, which is evaluated last in the rule order. It is considered best practice to minimize the number of NACL rules to achieve the effective result.
It is recommended to:
- Define the minimum number of ALLOW rules required to achieve the desired effective result, to ensure only the specific intended traffic is allowed.
- Avoid overlapping definitions of ALLOW rules, to avoid risk of redundancy or confusion.
- Avoid using too many or overlapping DENY rules, to avoid risk of redundancy, ineffectiveness or confusion.
- Position any DENY rules for specific limited parameters at a relatively high priority to ensure effectiveness, and use sparingly to avoid confusion.
- For all other traffic, leverage the deafult NACL DENY all traffic rule to ensure any remaining traffic that is not expressly identified is denied.
- The DENY rule traffic parameters such as protocol, port and source IP exactly match an ALLOW rule positioned at a lower rule number. This DENY rule would be fully ineffective and redundant.
- The DENY rule protocol and port match a higher priority ALLOW rule, and the DENY rule source IP range is a subset of the ALLOW rule source IP range. This DENY rule would be fully ineffective and redundant.
- A lower priority DENY rule has overlapping port definitions with a higher priority ALLOW rule, and the source IP ranges exactly match. This DENY rule would be considered partially ineffective, and redundant because any undefined traffic should be denied by the default rule.
- A lower priority DENY rule has overlapping port definitions with a higher priority ALLOW rule, and the source IP range of the DENY rule is a subset of the ALLOW rule's source IP range. This DENY rule would be considered partially ineffective, and redundant because any reamining traffic should be denied by the default rule.
- A DENY rule matches the port definition of a higher priority ALLOW, and the DENY rule source IP range is a superset of the ALLOW rule source IP range. This could be considered partially ineffective and redundant, because the DENY could be handled by the default DENY rule. The DENY statement is partially effective, but the effect could be achieved more efficiently with fewer rules, and by leveraging the default DENY all rule.
- A DENY rule has an overlapping port definition with a higher priority ALLOW, and the DENY rule source IP range is a superset of the ALLOW rule source IP range. This is similar to the previous point, but with some overlapping ports. The DENY statement is partially effective, but the effect could be achieved more efficiently with fewer rules, and by leveraging the default DENY all rule.
This rule resolution is part of the Conformity solution.
To regulate the traffic to and from your Amazon VPC network, use fully effective DENY rules for your Network Access Control Lists (NACLs). Fully effective DENY rules will add an additional layer of security, protect against malicious activities such as hacking, brute-force attacks, and Denial of Service (DoS) attacks, and help minimise the risk of the configuration errors in your NACL rule order.
Audit
To determine if your Network ACLs (NACLs) have ineffective, partially ineffective or misconfigured DENY rules, perform the following actions:
Note: Each NACL includes a rule whose rule number is an asterisk (also known as default DENY rule). This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule. This default DENY rule is ignored during the Audit process. It is recommended for best practice to leverage the default DENY rule in your NACL configuration and avoid unnecessary wide ranging DENY rules set at a low prioity (high rule number).Remediation / Resolution
Note: To remediate NACL rules, ensure you consider the intention of the rules. The below steps provide a simple example, however the exact steps to remediate will depend on your environment. The best practice is to use the minimal necessary rules to define the intended effect of the NACL, and to make use of the default DENY all traffic rule.
To be effective, ensure that the DENY rules designed to restrict traffic are placed at a higher priority (i.e. lower rule number) than the related ALLOW rules. To reconfigure ineffective inbound and outbound DENY rules in order to block certain traffic at the subnet level, perform the following actions:
References
- AWS Documentation
- Amazon VPC FAQs
- Security in Amazon Virtual Private Cloud
- Control traffic to subnets using Network ACLs
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-network-acls
- create-network-acl-entry
- delete-network-acl-entry
- CloudFormation Documentation
- AWS::EC2::VPC
- Terraform Documentation
- AWS Provider