By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[EC2.21] Security Hub finding issue

0

Hello,

I am working on improving security compliance in my project and recently I've come across security finding related to network ACL: [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389. I've updated my ACLs in the following manner:

Rule NumberTypeProtocolPort RangeSourceAllow/Deny
10SSH(22)TCP(6)220.0.0.0/0Deny
11SSH(22)TCP(6)22::/0Deny
20RDP(3389)TCP(6)33890.0.0.0/0Deny
21RDP(3389)TCP(6)3389::/0Deny
100All trafficAllAll0.0.0.0/0Allow
*All trafficAllAll0.0.0.0/0Deny

According to ACL evaluation rules ports 22 and 3389 are blocked, but check still fails. I suppose that it looks only for record that allows for all traffic and ignores the order of the rules. In my opinion the current rule validation is wrong. What are your thoughts on this?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon VPCAWS Security HubNetworking & Content DeliveryNetwork Security
Language
English
m4t22
asked 2 years ago349 views
2 Answers
0

Hello,

NACL is attached to proper subnet and I have no doubts that NACL itself works that way. My issue is that despite the configuration described above, the one you've confirmed that should "do the job" my Security Hub check EC2.21 that validates this setup (blocking ports 22 and 3389) fails.

m4t22
answered 2 years ago
-1

Greetings from AWS..!!

So as per your configurations for ingress rules in Network ACL, the rule evaluation order should be as below.

10 - will deny IPv4 traffic for TCP Port 22 from any source IP - if matches will not check next rule else will check next rule until last rule. 11 - will deny IPv6 traffic for TCP Port 22 from any source IP 21 - will deny IPv4 traffic for TCP Port 3389 from any source IP 22 - will deny IPv6 traffic for TCP Port 3389 from any source IP 100 - Any other traffic will be allowed other than that is not matching the above rules.

However, you mentioned that it does not evaluate that way, meaning the traffic sourced from any IP address destined to tcp port 22 and 3389 is getting passed. For that I would recommend below steps to be checked.

  1. Is the Network ACL to which the inbound rules are configured is associated to the subnet of the resource or not.?
  2. If the Association is correct, please refer the VPC Flow Logs [1] and check if the traffic is being ACCEPT or REJECT for the interesting traffic. With this rules, any traffic destined for the resource in the subnet associated with this Network ACL, you should be seeing REJECT for DENY rules.

However, if you still see the traffic passing, I would request you to open a case with Technical Support Team to further troubleshoot this. As ideally this should not be the case.

"A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL."

Reference: [1] Logging IP traffic using VPC Flow Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

rePost-User-1196895
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content