it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.

Techniques

Sample rules

AWS Network Access Control List Created with All Open Ports

source: splunk
technicques:
- T1562.007
- T1562

Description

The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for CreateNetworkAclEntry or ReplaceNetworkAclEntry actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.

Detection logic

`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' 
| where port_range>1024] 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_created_with_all_open_ports_filter`