no-public-ingress
Explanation
Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.
Possible Impact
The ports are exposed for ingressing data to the internet
Suggested Resolution
Set a more restrictive cidr range
Insecure Example
The following example will fail the aws-vpc-no-public-ingress check.
resource "aws_network_acl_rule" "bad_example" {
egress = false
protocol = "tcp"
from_port = 22
to_port = 22
rule_action = "allow"
cidr_block = "0.0.0.0/0"
}
Secure Example
The following example will pass the aws-vpc-no-public-ingress check.
resource "aws_network_acl_rule" "good_example" {
egress = false
protocol = "tcp"
from_port = 22
to_port = 22
rule_action = "allow"
cidr_block = "10.0.0.0/16"
}