PlatformResourcesSign inSign Up

Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389

Error: AWS NACL allows ingress from 0.0.0.0/0 to port 3389

Bridgecrew Policy ID: BC_AWS_NETWORKING_72
Checkov Check ID: CKV_AWS_231
Severity: LOW

Suggest Edits

AWS NACL allows ingress from 0.0.0.0/0 to port 3389

Description

Network Access Control List (NACL) is stateless and provides filtering of ingress/egress network traffic to AWS resources. We recommend that NACLs do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Fix - Buildtime

CloudFormation

Resources:  
  InboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 200
       Protocol: 6
       RuleAction: allow
-      CidrBlock: 0.0.0.0/0
+      CidrBlock: 10.0.0.0/32
       PortRange:
         From: 3389
         To: 3389

Terraform

resource "aws_network_acl_rule" "example" {
  network_acl_id = aws_network_acl.example.id
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
- cidr_block     = "0.0.0.0/0"
+ cidr_block     = "10.0.0.0/32"
  from_port      = 3389
  to_port        = 3389
}

Updated 6 months ago