No Public Ingress Acl | Vulnerability Database

An ingress Network ACL rule allows specific ports from /0.

Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Impact

The ports are exposed for ingressing data to the internet

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Set a more restrictive cidr range

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


AWSTemplateFormatVersion: 2010-09-09
Description: Godd example of excessive ports
Resources: 
  NetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: "something"
  Rule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId:
        Ref: NetworkACL
      Protocol: 6
      CidrBlock: 10.0.0.0/8
      RuleAction: allow

Set a more restrictive cidr range

1
2
3
4
5
6
7
8
9


 resource "aws_network_acl_rule" "good_example" {
   egress         = false
   protocol       = "tcp"
   from_port      = 22
   to_port        = 22
   rule_action    = "allow"
   cidr_block     = "10.0.0.0/16"
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block