EC2 Permissive Network ACL Protocols
- Query id: 03879981-efa2-47a0-a818-c843e1441b88
- Query name: EC2 Permissive Network ACL Protocols
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
OutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"MyNACL": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": "vpc-1122334455aabbccd",
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
]
}
},
"OutboundRule": {
"Properties": {
"CidrBlock": "0.0.0.0/0",
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": -1,
"Egress": true,
"RuleAction": "allow"
},
"Type": "AWS::EC2::NetworkAclEntry"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"InboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"To": 22,
"From": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow"
}
},
"MyNACL": {
"Properties": {
"VpcId": "vpc-1122334455aabbccd",
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
]
},
"Type": "AWS::EC2::NetworkAcl"
}
}
}