Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted Network ACL Outbound Traffic

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-010

Check your Amazon VPC Network Access Control Lists (NACLs) for outbound/egress rules that allow traffic to all ports and restrict access to the required ports only in order to implement the Principle of Least Privilege and reduce the possibility of a breach at the subnet level.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Controlling the outbound traffic of one or more VPC subnets by opening just the ports required by your applications will add an additional layer of security to your Amazon VPC network.


Audit

To determine if your Network ACLs (NACLs) allow outbound traffic to all ports, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to examine.

05 Choose the Outbound rules tab from the console bottom panel and check the value available in the Port Range column for each ALLOW rule. If one or more ALLOW rules have the Port Range value set to All, the selected Amazon VPC Network ACL allows outbound/egress traffic to all ports, therefore the access to the Internet for any VPC subnets associated with your Network ACL (NACL) is not restricted.

06 Repeat steps no. 4 and 5 for other Network ACLs available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested NACL IDs:

---------------------
|DescribeNetworkAcls|
+-------------------+
|   acl-abcd1234    |
|   acl-1234abcd    |
+-------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the outbound ALLOW rules defined for the selected NACL:

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-abcd1234
  --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`true`)] | []'

04 The command output should return the ALLOW rule(s) configured for outbound traffic:

[
    {
        "RuleNumber": 100,
        "Protocol": "-1",
        "Egress": true,
        "CidrBlock": "0.0.0.0/0",
        "RuleAction": "allow"
    }
]

Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. If an ALLOW rule does not have a "PortRange" attribute defined, as shown in the output example above, the rule allows outbound/egress traffic to all ports, therefore the access to the Internet for the VPC subnets associated with the selected Network ACL (NACL) is not restricted.

05 Repeat steps no. 3 and 4 for other Amazon VPC Network ACLs available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your Network ACL outbound rules in order to allow traffic to specific destination port or destination port range only, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Allow Traffic to Specific Destination Port/Port Range Only",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "VPCNetworkACL": {
        "Type": "AWS::EC2::NetworkAcl",
        "Properties": {
            "VpcId": {
              "Ref": "AWSVPCNetwork"
            }
        }
    },
    "HTTPTrafficOutboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "0.0.0.0/0",
            "Egress": true,
            "PortRange": {
                "From": 80,
                "To": 80
            }
        }
    },
    "DNSTrafficOutboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 200,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "0.0.0.0/0",
            "Egress": true,
            "PortRange": {
                "From": 53,
                "To": 53
            }
        }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Traffic to Specific Destination Port/Port Range Only
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  VPCNetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref 'AWSVPCNetwork'
  HTTPTrafficOutboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 100
      Protocol: 6
      RuleAction: allow
      CidrBlock: '0.0.0.0/0'
      Egress: true
      PortRange:
        From: 80
        To: 80
  DNSTrafficOutboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 200
      Protocol: 6
      RuleAction: allow
      CidrBlock: '0.0.0.0/0'
      Egress: true
      PortRange:
        From: 53
        To: 53

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
  vpc_id = aws_vpc.aws-vpc-network.id
}

# Allow Traffic to Specific Destination Port/Port Range Only (HTTP Traffic)
resource "aws_network_acl_rule" "ssh-access-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 100
  egress         = true
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
  from_port      = 80
  to_port        = 80
}

# Allow Traffic to Specific Destination Port/Port Range Only (DNS Traffic)
resource "aws_network_acl_rule" "rdp-access-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 200
  egress         = true
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
  from_port      = 53
  to_port        = 53
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to reconfigure.

05 Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.

06 On the Edit outbound rules configuration page, perform the following operations:

  1. Choose the ALLOW rule that you want to reconfigure and change the following attributes:
    • Select a predefined type of traffic from the Type dropdown list, except the All traffic predefined type which allows outbound/egress traffic to all ports. For example, to add a rule for HTTP traffic, choose HTTP and the AWS console will fill in the port number for you. To use a custom protocol, choose the Custom Protocol type and select the desired (supported) protocol from the Protocol dropdown list.
    • In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0).
    • Select Allow from the Allow/Deny dropdown list to allow the outbound traffic from specified source port or source port range.
  2. (Optional) To add another ALLOW rule, choose Add new rule and repeat step a. as required.
  3. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow outbound traffic to all ports.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the outbound/egress rule(s) that allow traffic to all ports. The following command example replaces a non-compliant outbound ALLOW rule, identified by the number 100, with an HTTP rule that allows access to TCP port 80 only, within a Network ACL identified by the ID acl-abcd1234 (the command does not produce an output):

aws ec2 replace-network-acl-entry
  --region us-east-1
  --network-acl-id acl-abcd1234
  --egress
  --rule-number 100
  --protocol tcp
  --port-range From=80,To=80
  --cidr-block 0.0.0.0/0
  --rule-action allow

02 (Optional) To create additional outbound rules for your Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates a DNS egress rule with the identification number set to 200, that allows access only to TCP port 53 only, within a NACL identified by the ID acl-1234abcd (the command does not return an output):

aws ec2 create-network-acl-entry
  --region us-east-1
  --network-acl-id acl-1234abcd
  --egress
  --rule-number 200
  --protocol tcp
  --port-range From=53,To=53
  --cidr-block 0.0.0.0/0
  --rule-action allow

03 Repeat steps no. 1 and 2 to reconfigure other Amazon VPC Network ACLs that allow egress traffic to all ports.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Feb 24, 2017