EC2 Network ACL Duplicate Rule
- Query id: 045ddb54-cfc5-4abb-9e05-e427b2bc96fe
- Query name: EC2 Network ACL Duplicate Rule
- Platform: CloudFormation
- Severity: Info
- Category: Networking and Firewall
- CWE: 358
- URL: Github
Description¶
A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
Egress: true
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
OutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
MyNACL2:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccdd
InboundRule2:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL2
RuleNumber: "112"
Protocol: 6
Ingress: true
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
OutboundRule2:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL2
RuleNumber: "112"
Protocol: -1
Ingress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyNACL": {
"Properties": {
"VpcId": "vpc-1122334455aabbccd"
},
"Type": "AWS::EC2::NetworkAcl"
},
"InboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"Egress": true,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6
}
},
"OutboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": -1,
"Egress": true,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0"
}
},
"MyNACL2": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": "vpc-1122334455aabbccdd"
}
},
"InboundRule2": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
},
"NetworkAclId": {
"Ref": "MyNACL2"
},
"RuleNumber": "112",
"Protocol": 6,
"Ingress": true,
"RuleAction": "allow"
}
},
"OutboundRule2": {
"Properties": {
"Ingress": true,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0",
"NetworkAclId": {
"Ref": "MyNACL2"
},
"RuleNumber": "112",
"Protocol": -1
},
"Type": "AWS::EC2::NetworkAclEntry"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
OutboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
CidrBlock: 0.0.0.0/0
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyNACL": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": "vpc-1122334455aabbccd"
}
},
"InboundRule": {
"Properties": {
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
}
},
"Type": "AWS::EC2::NetworkAclEntry"
},
"OutboundRule": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": -1,
"Egress": true,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0"
}
}
}
}