VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389

Description

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Network ACLs.

  • For each Network ACL, perform the steps described below.

    • Select the Network ACL, click the Inbound Rules tab, and and click Edit Inbound rules.

    • Remove any rule that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 3389.

    • Click Save.

CLI Remediation Steps

  • Remove the inbound rule(s) that permits unrestricted ingress from 0.0.0.0/0 to TCP/UDP port 3389 from the selected Network ACLs:

aws ec2 delete-network-acl-entry --network-acl-id <network-acl-id> --ingress --rule-number <rule_number>