CIS Benchmark Rule update for Network ACL ingress allowed from all hosts
An update has been released for Rule CIS 5.1 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports. This rule will now flag a Network ACL (NACL) as failing when any of the following conditions are met:
- There is a NACL rule allowing TCP traffic on SSH (port 22) to all hosts (0.0.0.0/0)
- There is a NACL rule allowing TCP traffic on RDP (port 3389) to all hosts (0.0.0.0/0)
- There is a NACL rule allowing all traffic on all ports to all hosts (Note: This will often be the case as this is also the default settings.)
Before the update, this rule evaluated that a NACL rule allowed TCP traffic on both an SSH and RDS port to all hosts. This change will impact customers with CIS Benchmark version 1.3.0 or 1.4.0 Rule Bundle enabled. Customers should expect a change in the compliance score of this rule.