VPC network ACL allows ingress from '0.0.0.0/0' to port 22 Affecting VPC service in AWS

Snyk CCSS

Network / Ports

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00121
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

How to fix?

Set the ingress.cidr_block attribute to a more restrictive CIDR block, for example 192.16.0.0/24.

Example Configuration

resource "aws_network_acl" "nacl_inline" {
  vpc_id = "${aws_vpc.vpc1.id}"

  subnet_ids = ["${aws_subnet.subnet2.id}"]

  ingress {
    protocol = "tcp"
    rule_no = 20
    action = "allow"
    cidr_block = "192.16.0.0/24"
    from_port = 22
    to_port = 22
  }
}

VPC network ACL allows ingress from '0.0.0.0/0' to port 22 Affecting VPC service in AWS

Severity

Description

How to fix?

Example Configuration

CloudFormation

Terraform

References