- Knowledge Base
- Amazon Web Services
- Amazon Virtual Private Cloud (VPC)
- Unrestricted Network ACL Outbound Traffic
Check your Amazon VPC Network Access Control Lists (NACLs) for outbound/egress rules that allow traffic to all ports and restrict access to the required ports only in order to implement the Principle of Least Privilege and reduce the possibility of a breach at the subnet level.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security Controlling the outbound traffic of one or more VPC subnets by opening just the ports required by your applications will add an additional layer of security to your Amazon VPC network.
Audit
To determine if your Network ACLs (NACLs) allow outbound traffic to all ports, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.
03 In the navigation panel, under SECURITY, choose Network ACLs.
04 Select the Network ACL (NACL) that you want to examine.
05 Choose the Outbound rules tab from the console bottom panel and check the value available in the Port Range column for each ALLOW rule. If one or more ALLOW rules have the Port Range value set to All, the selected Amazon VPC Network ACL allows outbound/egress traffic to all ports, therefore the access to the Internet for any VPC subnets associated with your Network ACL (NACL) is not restricted.
06 Repeat steps no. 4 and 5 for other Network ACLs available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region:
aws ec2 describe-network-acls --region us-east-1 --output table --query 'NetworkAcls[*].NetworkAclId'
02 The command output should return a table with the requested NACL IDs:
--------------------- |DescribeNetworkAcls| +-------------------+ | acl-abcd1234 | | acl-1234abcd | +-------------------+
03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the outbound ALLOW rules defined for the selected NACL:
aws ec2 describe-network-acls --region us-east-1 --network-acl-ids acl-abcd1234 --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`true`)] | []'
04 The command output should return the ALLOW rule(s) configured for outbound traffic:
[
{
"RuleNumber": 100,
"Protocol": "-1",
"Egress": true,
"CidrBlock": "0.0.0.0/0",
"RuleAction": "allow"
}
]
Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. If an ALLOW rule does not have a "PortRange" attribute defined, as shown in the output example above, the rule allows outbound/egress traffic to all ports, therefore the access to the Internet for the VPC subnets associated with the selected Network ACL (NACL) is not restricted.
05 Repeat steps no. 3 and 4 for other Amazon VPC Network ACLs available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To reconfigure your Network ACL outbound rules in order to allow traffic to specific destination port or destination port range only, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Allow Traffic to Specific Destination Port/Port Range Only",
"Resources": {
"AWSVPCNetwork": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": true,
"EnableDnsSupport": true,
"InstanceTenancy": "default"
}
},
"VPCNetworkACL": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "AWSVPCNetwork"
}
}
},
"HTTPTrafficOutboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "VPCNetworkACL"
},
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0",
"Egress": true,
"PortRange": {
"From": 80,
"To": 80
}
}
},
"DNSTrafficOutboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "VPCNetworkACL"
},
"RuleNumber": 200,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0",
"Egress": true,
"PortRange": {
"From": 53,
"To": 53
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Traffic to Specific Destination Port/Port Range Only
Resources:
AWSVPCNetwork:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
VPCNetworkACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref 'AWSVPCNetwork'
HTTPTrafficOutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref 'VPCNetworkACL'
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: '0.0.0.0/0'
Egress: true
PortRange:
From: 80
To: 80
DNSTrafficOutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref 'VPCNetworkACL'
RuleNumber: 200
Protocol: 6
RuleAction: allow
CidrBlock: '0.0.0.0/0'
Egress: true
PortRange:
From: 53
To: 53
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_vpc" "aws-vpc-network" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
instance_tenancy = "default"
}
resource "aws_network_acl" "vpc-network-acl" {
vpc_id = aws_vpc.aws-vpc-network.id
}
# Allow Traffic to Specific Destination Port/Port Range Only (HTTP Traffic)
resource "aws_network_acl_rule" "ssh-access-inbound-rule" {
network_acl_id = aws_network_acl.vpc-network-acl.id
rule_number = 100
egress = true
protocol = "tcp"
rule_action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 80
to_port = 80
}
# Allow Traffic to Specific Destination Port/Port Range Only (DNS Traffic)
resource "aws_network_acl_rule" "rdp-access-inbound-rule" {
network_acl_id = aws_network_acl.vpc-network-acl.id
rule_number = 200
egress = true
protocol = "tcp"
rule_action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 53
to_port = 53
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.
03 In the navigation panel, under SECURITY, choose Network ACLs.
04 Select the Network ACL (NACL) that you want to reconfigure.
05 Select the Outbound rules tab from the console bottom panel and choose Edit outbound rules.
06 On the Edit outbound rules configuration page, perform the following operations:
- Choose the ALLOW rule that you want to reconfigure and change the following attributes:
- Select a predefined type of traffic from the Type dropdown list, except the All traffic predefined type which allows outbound/egress traffic to all ports. For example, to add a rule for HTTP traffic, choose HTTP and the AWS console will fill in the port number for you. To use a custom protocol, choose the Custom Protocol type and select the desired (supported) protocol from the Protocol dropdown list.
- In the Source box, enter the CIDR range that the rule applies to (e.g. 0.0.0.0/0).
- Select Allow from the Allow/Deny dropdown list to allow the outbound traffic from specified source port or source port range.
- (Optional) To add another ALLOW rule, choose Add new rule and repeat step a. as required.
- Choose Save changes to apply the changes.
07 Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow outbound traffic to all ports.
08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the outbound/egress rule(s) that allow traffic to all ports. The following command example replaces a non-compliant outbound ALLOW rule, identified by the number 100, with an HTTP rule that allows access to TCP port 80 only, within a Network ACL identified by the ID acl-abcd1234 (the command does not produce an output):
aws ec2 replace-network-acl-entry --region us-east-1 --network-acl-id acl-abcd1234 --egress --rule-number 100 --protocol tcp --port-range From=80,To=80 --cidr-block 0.0.0.0/0 --rule-action allow
02 (Optional) To create additional outbound rules for your Network ACL run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates a DNS egress rule with the identification number set to 200, that allows access only to TCP port 53 only, within a NACL identified by the ID acl-1234abcd (the command does not return an output):
aws ec2 create-network-acl-entry --region us-east-1 --network-acl-id acl-1234abcd --egress --rule-number 200 --protocol tcp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow
03 Repeat steps no. 1 and 2 to reconfigure other Amazon VPC Network ACLs that allow egress traffic to all ports.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.
References
- AWS Documentation
- Internetwork traffic privacy in Amazon VPC
- Control traffic to subnets using Network ACLs
- What is Amazon VPC?
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-network-acls
- replace-network-acl-entry
- create-network-acl-entry
- CloudFormation Documentation
- AWS::EC2::VPC
- Terraform Documentation
- AWS Provider