Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21
Error: AWS NACL allows ingress from 0.0.0.0/0 to port 21
Bridgecrew Policy ID: BC_AWS_NETWORKING_71
Checkov Check ID: CKV_AWS_229
Severity: LOW
AWS NACL allows ingress from 0.0.0.0/0 to port 21
Description
Network Access Control List (NACL) is stateless and provides filtering of ingress/egress network traffic to AWS resources. We recommend that NACLs do not allow unrestricted ingress access to port 21. Removing unfettered connectivity to remote console services, such as FTP, reduces a server's exposure to risk.
Fix - Buildtime
CloudFormation
Resources:
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 200
Protocol: 6
RuleAction: allow
- CidrBlock: 0.0.0.0/0
+ CidrBlock: 10.0.0.0/32
PortRange:
From: 21
To: 21
Terraform
resource "aws_network_acl_rule" "example" {
network_acl_id = aws_network_acl.example.id
rule_number = 200
egress = false
protocol = "tcp"
rule_action = "allow"
- cidr_block = "0.0.0.0/0"
+ cidr_block = "10.0.0.0/32"
from_port = 21
to_port = 21
}
Updated 10 months ago