Terraform Broad Network Access
Description
Detects overly permissive AWS Default Network ACL configurations that could allow broad network access. Unrestricted network access in Network ACLs can expose AWS resources to unnecessary security risks by allowing traffic from any source.
Detection Strategy
• Identifies AWS Default Network ACL resource declarations in Terraform configurations
• Examines the Network ACL rules for overly permissive settings like '0.0.0.0/0' CIDR blocks
• Reports a vulnerability when default Network ACLs allow unrestricted inbound or outbound access
Vulnerable code example
resource "aws_default_network_acl" "default" {
default_network_acl_id = aws_vpc.main.default_network_acl_id
ingress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0" # INSECURE: Allows unrestricted inbound access from any IP...✅ Secure code example
resource "aws_default_network_acl" "default" {
default_network_acl_id = aws_vpc.main.default_network_acl_id
ingress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = aws_vpc.main.cidr_block # Restrict access to VPC CIDR only...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.