How to Interrupt a Breach on AWS Using NACLs

Omar Tarek -

If an active Security Group Rule allows an SSH connection to one of the instances and that connection is compromised, you may use NACL, or the Network Access Control List, to interrupt it. In this blog, I will explain What NACLs are and how to use them to stop security breaches.

What is a NACL?

Think of NACLs as gatekeepers that control the traffic flowing in and out of your AWS subnets. They are like a stateless firewall, providing an extra layer of security to prevent unauthorized access to your resources.

Key Features of NACLs

  • Stateless: NACLs evaluate both incoming and outgoing traffic.
  • Subnet Level: They work at the subnet level, adding an extra security layer.
  • Rules Evaluation: Rules are checked in order, starting with the lowest number.
  • Allow and Deny: You can set rules to allow or deny traffic.

How to Use NACLs to Interrupt a Breach

When a breach happens, acting fast is key to minimizing the damage. Here’s how to use NACLs to stop a breach:

  1. Identify the Breach Source: Use AWS CloudTrail and VPC Flow Logs to discover the IP addresses causing the breach.
  2. Modify NACL Rules:
    1. Go to the NACL linked to the affected subnet.
    2. Add deny rules for the suspicious IP addresses. Ensure these new rules are prioritized by giving them lower numbers than any existing allowed rules.
  3. Block Suspicious Traffic:
    1. If you’re unsure of the source of the breach, you may temporarily block broader IP ranges.
    2. Review and fine-tune existing rules to enhance security while ensuring legitimate traffic can still flow.
  4. Monitor and Adapt:
    1. Keep an eye on traffic using VPC Flow Logs to confirm the NACL rules are doing their job.
    2. Update the NACL rules as you gather more information about the breach.

Example Scenario

Let’s say you notice some unusual traffic patterns suggesting a potential breach. Here’s what you’d do step-by-step:

  1. Detection: CloudTrail logs show unauthorized access attempts from IP addresses 192.0.2.0/24 and 198.51.100.0/24.
  2. Action:
    1. Head over to the NACL for the compromised subnet.
    2. Add deny rules for these IP ranges:
      1. Rule #100: Deny inbound traffic from 192.0.2.0/24
      2. Rule #101: Deny inbound traffic from 198.51.100.0/24
  3. Validation:
    1. Check VPC Flow Logs to make sure traffic from these IP ranges is being blocked.
    2. Keep monitoring for any further suspicious activity and update the NACL rules as needed.

Final Thoughts

NACLs are considered powerful tools for managing network security at the subnet level. Effectively using NACLs, you can quickly respond to and stop breaches, protecting your AWS environment from potential threats. Monitoring and updating NACL rules is essential to maintaining a secure and resilient cloud infrastructure.

Let's Stop Breaches and Have A Happy Clouding!