Severity Framework
Snyk CCSS
Rule category
Network / Hardening
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-AWS
CIS-Controls
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00152
- credit Snyk Research Team
Description
Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
How to fix?
Remove any invalid ingress rule from the aws_network_acl.
An ingress rule is invalid if it contains all of the following:
- A
0.0.0.0/0in the cidr_block or::/0in the ipv6_cidr_block key - A
3389in the from_port, to_port key, or any range that includes3389 - A
allowaction in the action key
Example Configuration
resource "aws_network_acl" "nacl1" {
vpc_id = "${aws_vpc.vpc1.id}"
subnet_ids = ["${aws_subnet.subnet1.id}"]
}
# Standalone rule
resource "aws_network_acl_rule" "rule1" {
network_acl_id = "${aws_network_acl.nacl1.id}"
rule_number = 10
protocol = "tcp"
rule_action = "allow"
cidr_block = "192.16.0.0/24"
from_port = 3389
to_port = 3389
}
# Inline rule
resource "aws_network_acl" "nacl2_inline" {
vpc_id = "${aws_vpc.vpc1.id}"
subnet_ids = ["${aws_subnet.subnet2.id}"]
ingress {
protocol = "tcp"
rule_no = 20
action = "allow"
cidr_block = "192.16.0.0/24"
from_port = 3389
to_port = 3389
}
}