search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.76k stars 1.53k forks source link

Review ec2_networkacl_allow_ingress_any_port #2910

Open jfagoagas opened 1 year ago

jfagoagas commented 1 year ago

Discussed in https://github.com/prowler-cloud/prowler/discussions/2716

Originally posted by **NMuee** August 11, 2023 Hi Prowler Team, I have NACL with ALL port 0.0.0.0 ALLOW However, I do have some rules that DENY certain port to 0.0.0.0 (Eg 22, 3389 and etc) With the deny rules in placed, it is not true that ALL port to 0.0.0.0 are OPEN. For such case, can I get your advise if this is still counted as a FAILED finding? Thank you
SimardeepSingh-zsh commented 1 year ago

Hi @jfagoagas,

Thank you for reaching out with your query about NACL configurations and Prowler findings.

In your described scenario, you have a Network ACL (NACL) with a rule that initially allows all ports (ALL) to 0.0.0.0 (any IP address), but you've also implemented specific rules to deny certain ports (e.g., 22 and 3389) to 0.0.0.0.

Your question pertains to whether this configuration, with deny rules in place, should be considered a "FAILED finding" in Prowler or from a security perspective.

The answer to this question largely depends on your organization's security policies and best practices. Here are a few considerations:

Security Principle: Implementing deny rules to restrict access to specific ports (e.g., SSH and RDP) to 0.0.0.0 is a sound security practice. It follows the principle of least privilege by limiting the exposure of critical services to the public internet.

Context Matters: Prowler scans your AWS infrastructure for security best practices, but the interpretation of findings may vary based on your specific use case and security requirements.

Customization: You can customize Prowler's policies to match your organization's specific security needs. This allows you to align the tool with your security objectives.

Documentation: To make an informed decision, it's advisable to review Prowler's documentation and your organization's security guidelines. Prowler often provides explanations and recommendations for its findings, which can help you understand the context better.

In conclusion, whether your NACL configuration is considered a "FAILED finding" depends on your organization's security policies. Implementing deny rules for specific ports is generally a recommended security practice. However, the specific interpretation and scoring within Prowler can be adjusted to match your organization's security standards.

It's a positive step to restrict access to critical ports, but for the definitive answer, I recommend discussing this with your organization's security team or reviewing your internal security policies.

I hope this information helps, and please feel free to reach out if you have any more questions or need further assistance.

Best regards