An ingress Network ACL rule allows ALL ports.
Default Severity: critical
Explanation
Ensure access to specific required ports is allowed, and nothing else.
Possible Impact
All ports exposed for egressing data
Suggested Resolution
Set specific allowed ports
Insecure Example
The following example will fail the aws-vpc-no-excessive-port-access check.
resource "aws_network_acl_rule" "bad_example" {
egress = false
protocol = "all"
rule_action = "allow"
cidr_block = "0.0.0.0/0"
}
Secure Example
The following example will pass the aws-vpc-no-excessive-port-access check.
resource "aws_network_acl_rule" "good_example" {
egress = false
protocol = "tcp"
from_port = 22
to_port = 22
rule_action = "allow"
cidr_block = "0.0.0.0/0"
}