The Issue: Network ACLs Behave Differently Amongst Public Cloud Providers
Not all firewalls are created equal. Some are generous... some are not...and not all firewall controls amongst the public cloud providers behave the same way.
Every cloud service provider - AWS, Microsoft Azure, and Google Cloud Platform (GCP) - provides native firewall capabilities. When a firewall ACL has been modified, what happens to the existing connections?
RedLock’s CSI Team observed that rule updates made to AWS ACLs are dynamically applied to new and existing connections. In Azure and GCP, however, rule updates made to the ACLs are not dynamically applied to existing connections. This means that if for some reason (malicious or not), an ACL rule allows an unintended open connection, existing connections that have already been established will not be dynamically terminated when corrected rules are applied.
The Mitigation: How to Enforce Updated ACLs in Azure and GCP
To mitigate this issue, we recommend that administrators terminate existing connections impacted by the bad ACL rules, by restarting the service or applications.
See RedLock Cloud 360 platform in Action
Get a demo to see how RedLock can help you with:
- Compliance assurance
- Security governance
- SOC enablement