AWS nacl analysis #732
AWS nacl analysis #732
Conversation
There was a problem hiding this comment.
@kyorav , can you please verify that this is indeed the intended connectivity?
There was a problem hiding this comment.
@zivnevo it is difficult to do without a mapping of the SubnetIds to the name. Can we perhaps prioritize fixing the anonymizer to leave the Name tags and then using the name here instead of the CRN?
For this instance I will re-deploy the example and run the analysis on the original collected object, then figure out the mapping myself.
There was a problem hiding this comment.
@olasaadi99 , please see if the anonymizer can be fixed as suggested above.
There was a problem hiding this comment.
@kyorav send me an example to test it please
There was a problem hiding this comment.
I reran on the original object and then manually translated subnetIDs to names. This is what I got:
Subnet connectivity for VPC vpc-054b122b2690e1c3b
workloads2 => workloads1 : protocol: ICMP,UDP
workloads2 => workloads1 : protocol: TCP *
edge1 => workloads1 : protocol: ICMP,UDP
edge1 => workloads1 : protocol: TCP *
edge2 => workloads1 : protocol: TCP dst-ports: 443 *
I think there should not be connectivity from edge1 to workloads1. They are both connected to ACL1 and the relevant rule opens up (ingress & egress) only to workloads1. This means that when ACL1 is applied to workloads1 it will block both ingress and egress to edge1.
Also, all of the rules in ACL1 have the protocol set to "All", so there should not be specific protocols on this line.
I suspect additional lines in the report have problems. Unfortunately, this is a rather bad example because of mistakes I made when creating it. I will modify the example to include a series of simple situations instead of this complicated scenario.
There was a problem hiding this comment.
can you check again please after the fixes @kyorav
|
Also, please run |
No description provided.