Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20
Error: AWS NACL allows ingress from 0.0.0.0/0 to port 20
Bridgecrew Policy ID: BC_AWS_NETWORKING_76
Checkov Check ID: CKV_AWS_230
Severity: LOW
AWS NACL allows ingress from 0.0.0.0/0 to port 20
Description
Network Access Control List (NACL) is stateless and provides filtering of ingress/egress network traffic to AWS resources. We recommend that NACLs do not allow unrestricted ingress access to port 20. Removing unfettered connectivity to remote console services, such as FTP, reduces a server's exposure to risk.
Fix - Buildtime
CloudFormation
Resources:
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 200
Protocol: 6
RuleAction: allow
- CidrBlock: 0.0.0.0/0
+ CidrBlock: 10.0.0.0/32
PortRange:
From: 20
To: 20
Terraform
resource "aws_network_acl_rule" "example" {
network_acl_id = aws_network_acl.example.id
rule_number = 200
egress = false
protocol = "tcp"
rule_action = "allow"
- cidr_block = "0.0.0.0/0"
+ cidr_block = "10.0.0.0/32"
from_port = 20
to_port = 20
}
Updated 12 months ago