Homepage

VPC network ACL allows ingress from 0.0.0.0/0 to port 3389 Affecting VPC service in AWS

Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Hardening

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-AWSCIS-ControlsCSA-CCMISO-27001NIST-800-53PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00152
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

How to fix?

Remove any invalid ingress rule from the aws_network_acl.

An ingress rule is invalid if it contains all of the following:

Example configuration:

resource "aws_network_acl" "nacl1" {
  vpc_id = "${aws_vpc.vpc1.id}"

  subnet_ids = ["${aws_subnet.subnet1.id}"]
}

# Standalone rule
resource "aws_network_acl_rule" "rule1" {
  network_acl_id = "${aws_network_acl.nacl1.id}"
  rule_number = 10
  protocol = "tcp"
  rule_action = "allow"
  cidr_block = "192.16.0.0/24"
  from_port = 3389
  to_port = 3389
}

# Inline rule
resource "aws_network_acl" "nacl2_inline" {
  vpc_id = "${aws_vpc.vpc1.id}"

  subnet_ids = ["${aws_subnet.subnet2.id}"]

  ingress {
    protocol = "tcp"
    rule_no = 20
    action = "allow"
    cidr_block = "192.16.0.0/24"
    from_port = 3389
    to_port = 3389
  }
}