EC2 Network ACL Overlapping Ports

Query id: 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576
Query name: EC2 Network ACL Overlapping Ports
Platform: CloudFormation
Severity: High
Category: Networking and Firewall
URL: Github
Description¶

NetworkACL Entries are reusing or overlapping ports which may create ineffective rules
Documentation
Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file
Postitive test num. 2 - json file
Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 class="w">       PortRange: From: 13 To: 22 OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 173.20.0.0/24 class="w">       PortRange: From: 12 To: 20 OutboundTests: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 175.20.0.0/24 class="w">       PortRange: From: 20 To: 25 InboundTests: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 151.20.0.0/24 class="w">       PortRange: From: 6 To: 13 Default: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 150.20.0.0/24 PortRange: From: 1 To: 2 Match: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 121.20.0.0/24 class="w">       PortRange: From: 3 To: 5 EqualMatch: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 120.20.0.0/24 class="w">       PortRange: From: 3 To: 5 { "Resources": { "Default": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "150.20.0.0/24", "PortRange": { "From": 1, "To": 2 } } }, "Match": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { class="w">        "PortRange": { "From": 3, "To": 5 }, "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "121.20.0.0/24" } }, "EqualMatch": { "Properties": { "CidrBlock": "120.20.0.0/24", class="w">        "PortRange": { "From": 3, "To": 5 }, "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow" }, "Type": "AWS::EC2::NetworkAclEntry" }, "MyNACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": "vpc-1122334455aabbccd", "Tags": [ { "Key": "Name", "Value": "NACLforSSHTraffic" } ] } }, "InboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", class="w">        "PortRange": { "From": 13, "To": 22 } } }, "OutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { class="w">        "PortRange": { "From": 12, "To": 20 }, "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "173.20.0.0/24" } }, "OutboundTests": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "175.20.0.0/24", class="hll">        "PortRange": { "From": 20, "To": 25 } } }, "InboundTests": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "RuleAction": "allow", "CidrBlock": "151.20.0.0/24", class="hll">        "PortRange": { "From": 6, "To": 13 }, "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6 } } } class="p">}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  MyNACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 13
         To: 22
  OutboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 173.20.0.0/24
       PortRange:
         From: 24
         To: 25

Negative test num. 2 - json file{
  "Resources": {
    "MyNACL": {
      "Type": "AWS::EC2::NetworkAcl",
      "Properties": {
        "VpcId": "vpc-1122334455aabbccd",
        "Tags": [
          {
            "Key": "Name",
            "Value": "NACLforSSHTraffic"
          }
        ]
      }
    },
    "InboundRule": {
      "Properties": {
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "From": 13,
          "To": 22
        }
      },
      "Type": "AWS::EC2::NetworkAclEntry"
    },
    "OutboundRule": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "173.20.0.0/24",
        "PortRange": {
          "From": 24,
          "To": 25
        }
      }
    }
  }
}