TCP UDP Protocol Network ACL Entry Allows All Ports
- Query id: f57f849c-883b-4cb7-85e7-f7b199dff163
- Query name: TCP UDP Protocol Network ACL Entry Allows All Ports
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
TCP UDP protocol AWS Network ACL Entry should not allow all ports
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MyNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
InboundRule2:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
InboundRule3:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
To: 22
InboundRule4:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
InboundRule5:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 0
To: 65535
Positive test num. 2 - json file
{
"Resources": {
"MyNACL": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": "vpc-1122334455aabbccd",
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
]
}
},
"InboundRule2": {
"Properties": {
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
}
},
"Type": "AWS::EC2::NetworkAclEntry"
},
"InboundRule3": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"To": 22
}
}
},
"InboundRule4": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"NetworkAclId": {
"Ref": "MyNACL"
}
}
},
"InboundRule5": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"To": 65535,
"From": 0
},
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100,
"Protocol": 6,
"RuleAction": "allow"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyNACL9:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: vpc-1122334455aabbccd
Tags:
- Key: Name
Value: NACLforSSHTraffic
InboundRule9:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 100
Protocol: 6
RuleAction: allow
CidrBlock: 172.16.0.0/24
PortRange:
From: 22
To: 22
Negative test num. 2 - json file
{
"Resources": {
"MyNACL9": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "NACLforSSHTraffic"
}
],
"VpcId": "vpc-1122334455aabbccd"
}
},
"InboundRule9": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"Protocol": 6,
"RuleAction": "allow",
"CidrBlock": "172.16.0.0/24",
"PortRange": {
"From": 22,
"To": 22
},
"NetworkAclId": {
"Ref": "MyNACL"
},
"RuleNumber": 100
}
}
}
}