AWS-EC2-Unrestricted-Network-ACL-Outbound-Traffic

Severity : High

Description: This controls ensures that Network ACLs doesn’t allows unrestricted outbound traffic from the network. AWS VPC automatically comes with default ACL, which has IPV4/IPV6 all allow outbound rule with CIDR for destination as 0.0.0.0/0 or ::/0 with port value ALL Also a custom rule may exist in the ACL which allow unrestricted outbound traffic. Allow all outbound rules may allow unintended outwards connection from the subnet. It's recommended to configure specific CIDR rules to specific ports to add additional layer of security.

Remediation Steps:

Perform following to update security group:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the left pane, click Network ACLs.

4. Select the Network ACL reported.

5. Click the Outbound Rules tab.

6. Click Edit outbound rules.

7. Identify the rules which allow All traffic to All protocol and All port to remove.

8. Click Remove, to delete the rule.

9. Update the Outbound Rules, by adding new rule to allow specific traffic. To add new rule click Add new rule and add rules with specific protocol and port.

10. Click Save rules.

Important:

Reference:

• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html