Rule: VPC Network ACLs for Subnet Association
Ensure VPC network access control lists are associated with a subnet for better security.
| Rule | VPC network access control lists (network ACLs) should be associated with a subnet. |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
VPC Network Access Control Lists (Network ACLs) for CISA Cyber Essentials
Rule Description
Network access control lists (Network ACLs) in a Virtual Private Cloud (VPC) ensure the security and control of inbound and outbound traffic to a subnet. It is a critical security measure that enforces network traffic rules at the subnet level. As per CISA Cyber Essentials, every subnet within a VPC should have an associated Network ACL to tightly manage and control network traffic.
Troubleshooting Steps
If a subnet does not have an associated Network ACL, it can pose a security risk and may lead to unauthorized network access. To troubleshoot this issue, follow these steps:
- 1.
Determine if the subnet has an associated Network ACL: Login to the AWS Management Console and navigate to the VPC service. Select the desired VPC and check if each subnet has a Network ACL associated with it.
- 2.
Identify the missing Network ACL: If a subnet does not have an associated Network ACL, note down the subnet identifier for further troubleshooting.
- 3.
Verify if the Network ACL exists: Navigate to the Network ACL section in the VPC service. Check if the missing Network ACL exists in the list. If it does not exist, it needs to be created.
Necessary Codes
If the subnet is missing an associated Network ACL, follow these steps to associate it:
- 1.CLI Command:
aws ec2 replace-network-acl-association --association-id <existing_association_id> --network-acl-id <new_network_acl_id>
Replace the
<existing_association_id><new_network_acl_id>Step-by-Step Guide for Remediation
To associate a Network ACL with a subnet, follow these steps:
- 1.
Step 1: Login to the AWS Management Console and navigate to the VPC service.
- 2.
Step 2: Select the desired VPC where the subnet is located.
- 3.
Step 3: Locate the subnet without an associated Network ACL.
- 4.
Step 4: Write down the subnet identifier for reference.
- 5.
Step 5: In the left sidebar, click on "Network ACLs" under the "Security" section.
- 6.
Step 6: Check if the missing Network ACL already exists in the list. If it does not exist, proceed to Step 7.
- 7.
Step 7: Click on "Create network ACL".
- 8.
Step 8: Choose a VPC and provide a name for the Network ACL. Click on "Create".
- 9.
Step 9: Once the Network ACL is created, click on its ID.
- 10.
Step 10: In the "Inbound rules" and "Outbound rules" tabs, configure the desired traffic rules as per your security requirements. Click on "Save".
- 11.
Step 11: Go back to the subnet without an associated Network ACL.
- 12.
Step 12: In the subnet details, click on "Modify network ACL associations".
- 13.
Step 13: Click on "Add association" and select the newly created Network ACL. Click on "Save".
- 14.
Step 14: Verify that the subnet now has an associated Network ACL by checking the subnet details.
By following these steps, you can ensure that all subnets within your VPC have their respective associated Network ACLs as per the recommendations of CISA Cyber Essentials.