VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22

Description

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation, select Network ACLs.

  • For each Network ACL, perform the steps described below.

    • Select the Network ACL, click the Inbound Rules tab, and and click Edit Inbound rules.

    • Remove any rule that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 22.

    • Click Save.

AWS CLI

  • Remove the inbound rule(s) that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 22 from the selected Network ACLs:

aws ec2 delete-network-acl-entry --network-acl-id <network-acl-id> --ingress --rule-number <rule_number>

CloudFormation

JSON

JSON Example Configuration
{
  "ValidVpc02Nacl": {
    "Type": "AWS::EC2::NetworkAcl",
    "Properties": {
      "VpcId": { "Ref": "ValidVpc02" }
    }
  },
  "ValidVpc02NaclEntry01": {
    "Type": "AWS::EC2::NetworkAclEntry",
    "Properties": {
      "NetworkAclId": { "Ref": "ValidVpc02Nacl" },
      "RuleAction": "deny",
      "CidrBlock": "0.0.0.0/0",
      "PortRange": {
        "From": 22,
        "To": 22
      # other required fields here
      }
    }
  }
}

YAML

YAML Example Configuration
ValidVpc02Nacl:
  Type: AWS::EC2::NetworkAcl
  Properties:
    VpcId: !Ref ValidVpc02

ValidVpc02NaclEntry01:
  Type: AWS::EC2::NetworkAclEntry
  Properties:
    NetworkAclId: !Ref ValidVpc02Nacl
    RuleAction: deny
    CidrBlock: "0.0.0.0/0"
    PortRange:
      From: 22
      To: 22
    # other required fields here