Skip to main content

Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389

Severity: Medium

Resource Types: AWS::EC2::NetworkAcl

Description

This control checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for ports 22 or 3389

Access to remote server administration ports, such as port 22 (SSH) and port 3389 (RDP), should not be publicly accessible, as this may allow unintended access to resources within your VPC.

Remediation

For more information about NACLs, see Network ACLs in the VPC User Guide.