Network ACLs should enforce outbound traffic restrictions

Docs > Datadog Security > OOTB Rules > Network ACLs should enforce outbound traffic restrictions

Description

Investigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.

Rationale

Eliminate the threat of unauthorized access by setting a specified port range.

Remediation

From the console

Follow the Adding and deleting rules docs to limit ingress traffic access based on port range.

From the command line

Run replace-network-acl-entry to create a rule that sets a specific port range for egress traffic.

replace-network-acl-entry.sh

    aws ec2 replace-network-acl-entry
        --network-acl-id id-01234567
        --egress
        --rule-number 02
        --protocol tcp
        --port-range From=000,To=000
        --rule-action allow
    