Network ACLs should enforce outbound traffic restrictions

Description

Investigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.

Rationale

Eliminate the threat of unauthorized access by setting a specified port range.

Remediation

From the console

Follow the Adding and deleting rules docs to limit ingress traffic access based on port range.

From the command line

  1. Run replace-network-acl-entry to create a rule that sets a specific port range for egress traffic.

    replace-network-acl-entry.sh

        aws ec2 replace-network-acl-entry
            --network-acl-id id-01234567
            --egress
            --rule-number 02
            --protocol tcp
            --port-range From=000,To=000
            --rule-action allow