VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389¶
Description¶
Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Network ACLs.
For each Network ACL, perform the steps described below.
Select the Network ACL, click the Inbound Rules tab, and and click Edit Inbound rules.
Remove any rule that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 3389.
Click Save.
AWS CLI¶
Remove the inbound rule(s) that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 3389 from the selected Network ACLs:
aws ec2 delete-network-acl-entry --network-acl-id <network-acl-id> --ingress --rule-number <rule_number>
CloudFormation¶
JSON¶
Ensure that an AWS::EC2::NetworkAcl resource is not associated with an AWS::EC2::NetworkAclEntry that contains all of the following:
A
0.0.0.0/0
in the CidrBlock field3389
is within the port range defined in PortRange, OR Protocol is set to-1
RuleAction is set to
allow
JSON Example Configuration¶
{
"ValidVpc02Nacl": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": { "Ref": "ValidVpc02" }
}
},
"ValidVpc02NaclEntry01": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "ValidVpc02Nacl" },
"RuleAction": "deny",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": 3389,
"To": 3389
# other required fields here
}
}
}
}
YAML¶
Ensure that an AWS::EC2::NetworkAcl resource is not associated with an AWS::EC2::NetworkAclEntry that contains all of the following:
A
0.0.0.0/0
in the CidrBlock field3389
is within the port range defined in PortRange, OR Protocol is set to-1
RuleAction is set to
allow
YAML Example Configuration¶
ValidVpc02Nacl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref ValidVpc02
ValidVpc02NaclEntry01:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref ValidVpc02Nacl
RuleAction: deny
CidrBlock: "0.0.0.0/0"
PortRange:
From: 3389
To: 3389
# other required fields here