Amazon EC2
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon EC2

      Unrestricted Network ACL Outbound Traffic

      This plugin ensures that Amazon Network ACLs do not allow outbound/egress traffic to all ports

      Risk Level: Low

      Description

      This plugin ensures that Amazon Network ACLs do not allow outbound/egress traffic to all ports. Network ACLs should not allow outbound traffic to all ports to avoid unauthorized access. 

      About the Service

      Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

      Impact

      As Network ACL rules control all the inbound and outbound traffic to the AWS resource, it must be configured appropriately. Network ACLs should not allow outbound traffic to all ports to avoid unauthorized access. 

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the Network ACLs in the Security section from the left navigation pane.
      4. A list of ACLs in the region will appear.  Select the ACL you wish to examine by clicking on its ID.
      5. Move to the Outbound Rules tab.
      6. Now check the outbound rules. If there are rules which have both Allow and 0.0.0.0/0 values, the vulnerability exists.
      7. Repeat steps for all the ACLs you want to investigate.

      Steps for Remediation

      Update Network ACL to allow outbound/egress traffic to specific port ranges only:

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the Network ACLs in the Security section from the left navigation pane.
      4. A list of ACLs in the region will appear.  Select the vulnerable ACL.
      5. Move to the Outbound Rules tab.
      6. Click on Edit Inbound Rules.
      7. One of the following actions can be performed:
        1. Remove the vulnerable rule by clicking on Remove next to it.
        2. Denying the traffic for that Destination range.
        3. Changing the destination range to only trusted IPs.
      8. Click on Save Changes after the modifications.
      9. Repeat steps for all the vulnerable ACLs.