--- title: EC2 network ACL overlapping ports description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EC2 network ACL overlapping ports --- # EC2 network ACL overlapping ports {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-ec2-network-acl-overlapping-ports` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html) ### Description{% #description %} Network ACL entries with overlapping port ranges can make rules ineffective or cause unintended allow/deny behavior, increasing the risk of unauthorized access or service disruption. This check inspects `AWS::EC2::NetworkAclEntry` resources and their `Properties.PortRange.From` and `Properties.PortRange.To` values. Each entry must define a port range that does not intersect with any other `AWS::EC2::NetworkAclEntry` port range in the same template. Resources missing `PortRange`, with `From` greater than `To`, or with ranges that share any port will be flagged as a misconfiguration. Secure configuration example with distinct, non-overlapping port ranges: ```yaml AclEntry1: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: acl-01234567 Protocol: 6 RuleAction: allow Egress: false PortRange: From: 80 To: 80 AclEntry2: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: acl-01234567 Protocol: 6 RuleAction: allow Egress: false PortRange: From: 443 To: 443 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 PortRange: From: 13 To: 22 OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 173.20.0.0/24 PortRange: From: 24 To: 25 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 PortRange: From: 13 To: 22 OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 173.20.0.0/24 PortRange: From: 12 To: 20 OutboundTests: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 175.20.0.0/24 PortRange: From: 20 To: 25 InboundTests: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 151.20.0.0/24 PortRange: From: 6 To: 13 Default: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 150.20.0.0/24 PortRange: From: 1 To: 2 Match: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 121.20.0.0/24 PortRange: From: 3 To: 5 EqualMatch: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 120.20.0.0/24 PortRange: From: 3 To: 5 ```