aws-ec2-no-public-ingress-acl.md

Pattern: Use of public AWS EC2 ingress network ACL

Issue: -

Description

Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Resolution: Set a more restrictive cidr range.

Examples

The following example will fail the aws-ec2-no-public-ingress-acl check.

 resource "aws_network_acl_rule" "bad_example" {
   egress         = false
   protocol       = "tcp"
   from_port      = 22
   to_port        = 22
   rule_action    = "allow"
   cidr_block     = "0.0.0.0/0"
 }
 

The following example will pass the aws-ec2-no-public-ingress-acl check.

 resource "aws_network_acl_rule" "good_example" {
   egress         = false
   protocol       = "tcp"
   from_port      = 22
   to_port        = 22
   rule_action    = "allow"
   cidr_block     = "10.0.0.0/16"
 }
 

Further reading

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html