π AWS VPC Network ACL is unused π’
- Contextual name: π Network ACL is unused π’
- ID:
/ce/ca/aws/vpc/network-acl-unused - Located in: π AWS VPC
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
RELIABILITY
Similar Policiesβ
- AWS Security Hub
- [[EC2.16] Unused Network Access Control Lists should be removed]([EC2.16] Unused Network Access Control Lists should be removed (https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-16)]
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that all non-default AWS VPC Network ACLs are actively associated with at least one subnet. Unused NACLs should be identified and removed to maintain a secure and well-managed network environment.
Rationaleβ
Network ACLs that are not associated with any subnets are considered unused. While unused NACLs do not incur direct costs, they present a potential security risk. If such a NACL contains overly permissive or misconfigured rules and is later associated with a subnet, it could unintentionally expose resources to unauthorized traffic. Regularly identifying and removing unused NACLs reduces the potential attack surface and streamlines network management.
Impactβ
Removing unused NACLs has no operational impact on existing resources. However, it strengthens the overall security posture and simplifies audits by eliminating unnecessary configurations.
Auditβ
This policy flags an AWS VPC Network ACL as
INCOMPLIANTif it has no related AWS VPC Network ACL Associations.
Remediationβ
Remediationβ
From Command Lineβ
Delete Unused NACLsβ
aws ec2 delete-network-acl \
--network-acl-id {{network-acl-id}}