AWS-VPC-NACL-allow-ingress-from-all-source-to-port-3389

Severity: High

Description: This controls ensures that  that no Network ACLs allow ingress from 0.0.0.0/0 to port 3389.  It is recommended that no NACL allows unrestricted ingress access to port 3389. Public access to port 3389, increases the resource attack surface and unnecessarily raises the risk of resource compromise.

Remediation Steps:

Perform following to modify the network ACL for VPC:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the left pane, click Network ACLs.

4. Select the network ACL to be updated.

5. Click the Inbound Rules tab.

6. Click Edit inbound rules.

7. For the rule which allows ingress from 0.0.0.0/0 to port 3389 either update the Source field to a range other than 0.0.0.0/0 or Click Delete to remove the inbound rule.

8. Click Save.

Important:

Reference:

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #5.1 (check 2) 

• Control subnet traffic with network access control lists - Amazon Virtual Private Cloud

• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison