AWS NACL allows ingress from 0.0.0.0/0 to port 21
Description
Network Access Control List (NACL) is stateless and provides filtering of ingress/egress network traffic to AWS resources. We recommend that NACLs do not allow unrestricted ingress access to port 21. Removing unfettered connectivity to remote console services, such as FTP, reduces a server's exposure to risk.
Code Example
yaml
Resources:
InboundRule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: MyNACL
RuleNumber: 200
Protocol: 6
RuleAction: allow
- CidrBlock: 0.0.0.0/0
+ CidrBlock: 10.0.0.0/32
PortRange:
From: 21
To: 21Remediation
CloudFormation
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0277 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_229 |