An ingress Network ACL rule allows ALL ports.

Explanation

Ensure access to specific required ports is allowed, and nothing else.

Possible Impact

All ports exposed for egressing data

Suggested Resolution

Set specific allowed ports

Insecure Example

The following example will fail the aws-vpc-no-excessive-port-access check.

resource "aws_network_acl_rule" "bad_example" {
  egress         = false
  protocol       = "all"
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
}

Secure Example

The following example will pass the aws-vpc-no-excessive-port-access check.

resource "aws_network_acl_rule" "good_example" {
  egress         = false
  protocol       = "tcp"
  from_port      = 22
  to_port        = 22
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
}

Getting Started
Provider Checks
Config
GitHub Actions