- Newest
- Most votes
- Most comments
Hello,
NACL is attached to proper subnet and I have no doubts that NACL itself works that way. My issue is that despite the configuration described above, the one you've confirmed that should "do the job" my Security Hub check EC2.21 that validates this setup (blocking ports 22 and 3389) fails.
Greetings from AWS..!!
So as per your configurations for ingress rules in Network ACL, the rule evaluation order should be as below.
10 - will deny IPv4 traffic for TCP Port 22 from any source IP - if matches will not check next rule else will check next rule until last rule. 11 - will deny IPv6 traffic for TCP Port 22 from any source IP 21 - will deny IPv4 traffic for TCP Port 3389 from any source IP 22 - will deny IPv6 traffic for TCP Port 3389 from any source IP 100 - Any other traffic will be allowed other than that is not matching the above rules.
However, you mentioned that it does not evaluate that way, meaning the traffic sourced from any IP address destined to tcp port 22 and 3389 is getting passed. For that I would recommend below steps to be checked.
- Is the Network ACL to which the inbound rules are configured is associated to the subnet of the resource or not.?
- If the Association is correct, please refer the VPC Flow Logs [1] and check if the traffic is being ACCEPT or REJECT for the interesting traffic. With this rules, any traffic destined for the resource in the subnet associated with this Network ACL, you should be seeing REJECT for DENY rules.
However, if you still see the traffic passing, I would request you to open a case with Technical Support Team to further troubleshoot this. As ideally this should not be the case.
"A network ACL contains a numbered list of rules. We evaluate the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL."
Reference: [1] Logging IP traffic using VPC Flow Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Relevant content
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago