[Bug]: Review ec2_networkacl_allow_ingress_any_port

[jfagoagas]

Discussed in #2716

^{Originally posted by NMuee August 11, 2023}
Hi Prowler Team,

I have NACL with ALL port 0.0.0.0 ALLOW
However, I do have some rules that DENY certain port to 0.0.0.0 (Eg 22, 3389 and etc)

With the deny rules in placed, it is not true that ALL port to 0.0.0.0 are OPEN.

For such case, can I get your advise if this is still counted as a FAILED finding?

Thank you

[SimardeepSingh-zsh]

Hi @jfagoagas,

Thank you for reaching out with your query about NACL configurations and Prowler findings.

In your described scenario, you have a Network ACL (NACL) with a rule that initially allows all ports (ALL) to 0.0.0.0 (any IP address), but you've also implemented specific rules to deny certain ports (e.g., 22 and 3389) to 0.0.0.0.

Your question pertains to whether this configuration, with deny rules in place, should be considered a "FAILED finding" in Prowler or from a security perspective.

The answer to this question largely depends on your organization's security policies and best practices. Here are a few considerations:

Security Principle: Implementing deny rules to restrict access to specific ports (e.g., SSH and RDP) to 0.0.0.0 is a sound security practice. It follows the principle of least privilege by limiting the exposure of critical services to the public internet.

Context Matters: Prowler scans your AWS infrastructure for security best practices, but the interpretation of findings may vary based on your specific use case and security requirements.

Customization: You can customize Prowler's policies to match your organization's specific security needs. This allows you to align the tool with your security objectives.

Documentation: To make an informed decision, it's advisable to review Prowler's documentation and your organization's security guidelines. Prowler often provides explanations and recommendations for its findings, which can help you understand the context better.

In conclusion, whether your NACL configuration is considered a "FAILED finding" depends on your organization's security policies. Implementing deny rules for specific ports is generally a recommended security practice. However, the specific interpretation and scoring within Prowler can be adjusted to match your organization's security standards.

It's a positive step to restrict access to critical ports, but for the definitive answer, I recommend discussing this with your organization's security team or reviewing your internal security policies.

I hope this information helps, and please feel free to reach out if you have any more questions or need further assistance.

Best regards