ec2_networkacl_allow_ingress_any_port

[NMuee]

Hi Prowler Team,

I have NACL with ALL port 0.0.0.0 ALLOW
However, I do have some rules that DENY certain port to 0.0.0.0 (Eg 22, 3389 and etc)

With the deny rules in placed, it is not true that ALL port to 0.0.0.0 are OPEN.

For such case, can I get your advise if this is still counted as a FAILED finding?

Thank you

[jfagoagas]

Hi @NMuee, a NACL with that configuration won't raise a FAIL finding if it's right configured.

You can execute Prowler and inspect the output for the following checks:

• ec2_networkacl_allow_ingress_any_port --> Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port
• ec2_networkacl_allow_ingress_tcp_port_22 --> Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22
• ec2_networkacl_allow_ingress_tcp_port_3389 --> Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389

[NMuee]

This is my Network ACL inbound rules configuration
However, the table is the output from prowler.
Just want to understand, with port 22 and 3389 block, the statement of "allow_ingress_any_port" won't be true right?

Thank you
`

CHECK_ID	CHECK_TITLE	CHECK_TYPE	STATUS
ec2_networkacl_allow_ingress_any_port	Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port.	Software and Configuration Checks,Industry and Regulatory Standards,CIS AWS Foundations Benchmark	FAIL
ec2_networkacl_allow_ingress_tcp_port_22	Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22	Infrastructure Security	PASS
ec2_networkacl_allow_ingress_tcp_port_3389	Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389	Infrastructure Security	PASS

`

[jfagoagas]

Hi @NMuee, you're right, that statement is not 100% true since this NACL is opened to the internet except for the ports 22 and 3389, but the status is correct since is opened to all the ports except this two which is in scope.

We have to improve that message, thanks for reporting it.

[NMuee]

If that the case, won't it be false positive for this particular finding "ec2_networkacl_allow_ingress_any_port"?

[jfagoagas]

I think not because all ports except 22 and 3389 are open to the internet.

[toniblyx]

I'm into the idea of (regardless to make these checks better or improve them if needed) we could add anything ACL related to the Allow list file by default. Also other checks that are not that important unless user worries about them. Thoughts?

I'll add this to our Slack too to get more feedback.

[NMuee]

Correct me if i am wrong, Allowlist will change the status to 'WARNING' right?

"Also other checks that are not that important unless user worries about them" - I personally think this idea is good, as checks that are not important that do not cause any security concern can be included. It can be treated as FYI instead of status FAIL, where some user might think that is mandatory to remediate them

" we could add anything ACL related to the Allow list file by default" - If adding ACL related to Allow list, won't it bypass quite a number of securitycheck? Especially, ACL should block port 22/3389 to all traffic? These rules are quite a major security concern tho.

Hope I understand your question correctly.

[pedrooot]

Allowlist (now called mutelist) will set the muted status of a finding to true. You’re right about “If adding ACL related to Allow list, won’t it bypass quite a number of security checks?” but this is highly dependent on the account and the specific context of the user’s account being audited.

If you take a look at this comment: #2910 (comment), you’ll find an explanation of why it depends on the security policies of the edited account, making it challenging to find a common solution for all users.

For this reason, using the mutelist is presented as a good solution, as it allows you to “mute” the findings associated with specific configurations that you want to maintain. I hope this explanation was helpful.