🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢

Contextual name: 🛡️ Network ACL exposes admin ports to public internet🟢
ID: /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS VPC Network ACL
- 🔌 AWS VPC Network ACL Entry - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Unrestricted Inbound Traffic on Remote Server Administration Ports

Description

Description

The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH on port 22 and RDP on port 3389, using TCP (6), UDP (17), or ALL (-1) protocols.

Rationale

Public access to remote server administration ports, such as 22 and 3389, increases the attack surface and raises the risk of resource compromise.

Audit

From Console

Perform the following to determine if the account is configured as prescribed:

Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

In the left pane, click Network ACLs.

For each network ACL, perform the following:

Select the network ACL.

Click the Inbound Rules tab.

Ensure no rule exists that has a port range that includes port 22, 3389, using the protocols TCP (6), UDP (17) or ALL (-1) or other remote server administration ports for your environment and has a Source of 0.0.0.0/0 and shows ALLOW.

... see more

Remediation

Open File

Remediation

From Console

Perform the following:

Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

In the left pane, click Network ACLs.

For each network ACL to remediate, perform the following:

Select the network ACL.

Click the Inbound Rules tab.

Click Edit inbound rules.

Either:

A. update the Source field to a range other than 0.0.0.0/0, or,

B. click Delete to remove the offending inbound rule.

Click Save.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389			1	no data
💼 CIS AWS v1.3.0 → 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports			1	no data
💼 CIS AWS v1.4.0 → 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports			1	no data
💼 CIS AWS v1.5.0 → 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)			1	no data
💼 CIS AWS v2.0.0 → 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)			1	no data
💼 CIS AWS v3.0.0 → 💼 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)			1	no data
💼 CIS AWS v4.0.0 → 💼 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)			1	no data
💼 CIS AWS v4.0.1 → 💼 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)			1	no data
💼 CIS AWS v5.0.0 → 💼 5.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)			1	no data
💼 CIS AWS v6.0.0 → 💼 6.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)			1	no data
💼 Cloudaware Framework → 💼 Network Exposure			132	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47	no data
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22	no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84	no data
💼 FedRAMP High Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45	no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			19	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			22	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception		4	19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	65	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			65	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	65	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

From Console​

Remediation​

Remediation​

From Console​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

From Console

Remediation

Remediation

From Console

policy.yaml

Linked Framework Sections