---
title: TCP UDP protocol network ACL entry allows all ports
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > TCP UDP protocol network ACL entry allows all
  ports
---

# TCP UDP protocol network ACL entry allows all ports

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-tcp-or-udp-protocol-network-acl-entry-allows-all-ports` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-portrange)

### Description{% #description %}

Network ACL entries that allow all TCP or UDP ports significantly broaden the attack surface and can expose many services to network-based attacks and lateral movement.

For `AWS::EC2::NetworkAclEntry` resources where `Protocol` indicates TCP (`6`) or UDP (`17`), the `PortRange` property must be present, include both `From` and `To`, and must not be set to the full range `From: 0` and `To: 65535`. Resources missing `PortRange`, missing the `From`/`To` attributes, or configured to allow `0`–`65535` will be flagged.

To remediate, restrict `PortRange` to specific ports or narrow ranges required by the application.

Secure example with a single allowed port (HTTPS):

```yaml
MyNetworkAclEntry:
  Type: AWS::EC2::NetworkAclEntry
  Properties:
    NetworkAclId: acl-0123456789abcdef0
    RuleNumber: 100
    Protocol: 6
    RuleAction: allow
    Egress: false
    PortRange:
      From: 443
      To: 443
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
Resources:
  MyNACL9:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule9:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 22
         To: 22
```

```json
{
  "Resources": {
    "MyNACL9": {
      "Type": "AWS::EC2::NetworkAcl",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "NACLforSSHTraffic"
          }
        ],
        "VpcId": "vpc-1122334455aabbccd"
      }
    },
    "InboundRule9": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "From": 22,
          "To": 22
        },
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100
      }
    }
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
Resources:
  MyNACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule2:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 22
  InboundRule3:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         To: 22
  InboundRule4:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
  InboundRule5:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 0
         To: 65535
```

```json
{
  "Resources": {
    "MyNACL": {
      "Type": "AWS::EC2::NetworkAcl",
      "Properties": {
        "VpcId": "vpc-1122334455aabbccd",
        "Tags": [
          {
            "Key": "Name",
            "Value": "NACLforSSHTraffic"
          }
        ]
      }
    },
    "InboundRule2": {
      "Properties": {
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "From": 22
        },
        "NetworkAclId": {
          "Ref": "MyNACL"
        }
      },
      "Type": "AWS::EC2::NetworkAclEntry"
    },
    "InboundRule3": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "To": 22
        }
      }
    },
    "InboundRule4": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow",
        "CidrBlock": "172.16.0.0/24",
        "NetworkAclId": {
          "Ref": "MyNACL"
        }
      }
    },
    "InboundRule5": {
      "Type": "AWS::EC2::NetworkAclEntry",
      "Properties": {
        "CidrBlock": "172.16.0.0/24",
        "PortRange": {
          "To": 65535,
          "From": 0
        },
        "NetworkAclId": {
          "Ref": "MyNACL"
        },
        "RuleNumber": 100,
        "Protocol": 6,
        "RuleAction": "allow"
      }
    }
  }
}
```