TCP/UDP Protocol Network ACL Entry Allows All Ports

Query id: f57f849c-883b-4cb7-85e7-f7b199dff163
Query name: TCP/UDP Protocol Network ACL Entry Allows All Ports
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
URL: Github

Description¶

TCP/UDP protocol AWS Network ACL Entry should not allow all ports
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

Positive test num. 2 - json file

/span>

Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule2: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 class="w">       PortRange: From: 22 InboundRule3: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 class="w">       PortRange: To: 22 InboundRule4: Type: AWS::EC2::NetworkAclEntry class="w">    Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 InboundRule5: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 class="w">       PortRange: From: 0 To: 65535 /span>{ "Resources": { "MyNACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": "vpc-1122334455aabbccd", "Tags": [ { "Key": "Name", "Value": "NACLforSSHTraffic" } ] } }, "InboundRule2": { "Properties": { "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", class="w">        "PortRange": { "From": 22 }, "NetworkAclId": { "Ref": "MyNACL" } }, "Type": "AWS::EC2::NetworkAclEntry" }, "InboundRule3": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", class="w">        "PortRange": { "To": 22 } } }, "InboundRule4": { "Type": "AWS::EC2::NetworkAclEntry", class="w">      "Properties": { "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", "NetworkAclId": { "Ref": "MyNACL" } } }, "InboundRule5": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "CidrBlock": "172.16.0.0/24", class="w">        "PortRange": { "To": 65535, "From": 0 }, "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow" } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  MyNACL9:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule9:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 22
         To: 22

Negative test num. 2 - json file{
  "Resources": {
    "MyNACL9": {
      "Type": "AWS::EC2::NetworkAcl",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "NACLforSSHTraffic"
          }
        ],
        "VpcId": "vpc-1122334455aabbccd"
      }
    },
    "InboundRule9": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "From": 22,
          "To": 22
        },
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100
      }
    }
  }
}