Blog   |   Security   |   June 27, 2016

Making AWS Security Simple, Part 5: Network ACLs

Saving time and allowing security teams to both be more efficient and better educated is vital to success in the cloud. Network security is challenging in cloud environments because the architectures are dynamic, which makes fixed security measures cumbersome and expensive. At the same time, hackers are more sophisticated and increasingly engaged in persistent attacks to compromise the network and cloud that can extend over the course of many months. Despite these concerns, however, security and compliance can be strengthened in cloud deployments.
The purpose of this series is to show how to take simple steps toward saving your security team time and headaches. Check out Part 1Part 2, Part 3 and Part 4 of the series to see more basic steps you can take covering gap assessment, best practice checks, and CloudTrail. This fifth and final post will dig deeper into Network ACLs.

Analyzing Network ACLs

Network ACLs are the firewalls of the VPC. You can set rules that allow or deny access to a port or IP range in a NACL. NACLs have some advantages over Security Groups. For instance, rules applied to NACLs are guaranteed to cover all resources in the subnet, whereas a Security Group applies only to the instances it is explicitly applied to it. Relying on Security Groups exclusively is problematic because someone could inadvertently create an EC2 instance in the VPC and associate an improper Security Group to it, leading to it being compromised. This creates an attack point into your VPC that can be used to leap frog to other instances in the VPC even if they do not have public IP addresses.
The disadvantage of NACLs is that they are stateless. If you allow traffic into a subnet, you must specifically allow the outbound traffic for the ephemeral ports of the return traffic. This can be complex to manage and requires opening large ranges of ports.
CloudCheckr provides capabilities to search NACLs to find ones that are wide open or overly-permissive. An organization may have hundreds of AWS accounts with dozens of VPCs. The security team should be reviewing the NACLs of all VPCs to make sure they are appropriately configured.
The security department can start by reviewing best practice checks. Setup a Multi-Account View to include all AWS accounts and allow time for the Multi-Account View to collect all results across the accounts. We recommend looking across your entire organization for any issues with the best practice checks below:

  • Network ACLs Allowing All Inbound Traffic
  • Ineffective Network ACL Deny rule

The first check finds NACLs that have no limitations on access at all. This is rarely appropriate. It’s highly recommended that you prohibit this as a corporate policy and then monitor for someone inadvertently configuring one. Chances are that your AWS accounts will have many of these by default.
The results of this best practice checks look like this:
Network ACL ID: acl-b6b390d3 | VPC: vpc-d5361ab0 | Region: US East (Northern Virginia) |
Rule #: 100 | Port Range: ALL | IP Range: | Type: ALLOW Inbound
The second best practice check finds NACLs that have security rules which are ineffective or misconfigured. If you discover this, there is a strong likelihood that network traffic that is not intended is being allowed.

Searching for Specific NACL Open Ports

You can also perform ad hoc searches of Network ACLs from CloudCheckr. For instance, you should audit your VPCs to verify public access to the SSH ports are shutdown. You can do this within the report Security/VPC/Common Searches. Option two is labeled “Find Network ACLs that allow SSH access from all IP Addresses”. Click “Search” and you will have a list of NACLs that match the search filter.

As you can see, moving to the public cloud presents new challenges for a security department. A new set of tasks emerge, and along with those you need new tools to help you perform these tasks. CloudCheckr is purpose built for these use cases, making it simple to keep up with these changes. If you want to try this all out and experience it first-hand, get started now. See how much time and effort we can save you.