PlatformResourcesSign inSign Up

Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20

Error: AWS NACL allows ingress from 0.0.0.0/0 to port 20

Bridgecrew Policy ID: BC_AWS_NETWORKING_76
Checkov Check ID: CKV_AWS_230
Severity: LOW

Suggest Edits

AWS NACL allows ingress from 0.0.0.0/0 to port 20

Description

Network Access Control List (NACL) is stateless and provides filtering of ingress/egress network traffic to AWS resources. We recommend that NACLs do not allow unrestricted ingress access to port 20. Removing unfettered connectivity to remote console services, such as FTP, reduces a server's exposure to risk.

Fix - Buildtime

CloudFormation

Resources:  
  InboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 200
       Protocol: 6
       RuleAction: allow
-      CidrBlock: 0.0.0.0/0
+      CidrBlock: 10.0.0.0/32
       PortRange:
         From: 20
         To: 20

Terraform

resource "aws_network_acl_rule" "example" {
  network_acl_id = aws_network_acl.example.id
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
- cidr_block     = "0.0.0.0/0"
+ cidr_block     = "10.0.0.0/32"
  from_port      = 20
  to_port        = 20
}

Updated 6 months ago