Network ACLs in AWS VPCs include allow and deny rules. These rules are evaluated in a well-defined precedence order, so it's feasible to model exceptions to a generalized policy. For example, it's possible to allowlist a specific IP range for access from port 22.
Changes
Evaluate the effect of deny rules on SSH access from arbitrary IPs in network ACLs
Background
Network ACLs in AWS VPCs include
allowanddenyrules. These rules are evaluated in a well-defined precedence order, so it's feasible to model exceptions to a generalized policy. For example, it's possible to allowlist a specific IP range for access from port 22.Changes
denyrules on SSH access from arbitrary IPs in network ACLsTesting