Check your Amazon VPC Network Access Control Lists (NACLs) for outbound/egress rules that allow traffic to all ports and restrict access to the required ports only in order to implement the Principle of Least Privilege and reduce the possibility of a breach at the subnet level.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Controlling the outbound traffic of one or more VPC subnets by opening just the ports required by your applications will add an additional layer of security to your Amazon VPC network.
Audit
To determine if your Network ACLs (NACLs) allow outbound traffic to all ports, perform the following actions:
Remediation / Resolution
To reconfigure your Network ACL outbound rules in order to allow traffic to specific destination port or destination port range only, perform the following actions:
References
- AWS Documentation
- Internetwork traffic privacy in Amazon VPC
- Control traffic to subnets using Network ACLs
- What is Amazon VPC?
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-network-acls
- replace-network-acl-entry
- create-network-acl-entry
- CloudFormation Documentation
- AWS::EC2::VPC
- Terraform Documentation
- AWS Provider