Profile Applicability: 

Level 2

Description

Network Access Control Lists (NACLs) are used to control inbound and outbound traffic at the subnet level in Amazon Virtual Private Cloud (VPC). Retaining unused NACLs creates unnecessary clutter and increases administrative overhead. Removing unused NACLs simplifies the network architecture and minimizes misconfiguration risks.

Rationale

  • Enhanced Manageability: Reduces complexity in managing NACLs by removing unused resources.

  • Improved Security: Minimizes the risk of inadvertently applying unused or misconfigured NACLs to subnets.

  • Cost Optimization: Prevents mismanagement of resources in large environments.

Impact

Pros:

  • Simplifies network management by keeping only actively used NACLs.

  • Reduces the risk of misconfiguration or accidental assignment of unused NACLs.

  • Improves security posture by eliminating redundant resources.

Cons:

  • Requires careful evaluation to ensure no unintended deletions.

  • May disrupt workflows if an NACL assumed to be unused is later needed.

Default Value

By default, all created NACLs remain in the VPC until explicitly deleted.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeNetworkAcls

  • ec2:DeleteNetworkAcl

  • AWS CLI installed and configured.


Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard.

                           

  1. Select Network ACLs from the left-hand menu.

                           

  1. Identify unused NACLs that are not associated with any subnets.

Using AWS CLI:

Identify Unused NACLs:

aws ec2 describe-network-acls --query "NetworkAcls[?Associations==null].{NetworkAclId:NetworkAclId}"

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard.

                               

  1. Select Network ACLs from the left-hand menu.

                               

  1. Identify and verify unused NACLs (NACLs without any subnet associations.  

  1. Select each unused NACL and delete it after confirming that it is not needed.

                 

 

  1. Save the changes    

Using AWS CLI:

Delete Unused NACLs:

aws ec2 delete-network-acl --network-acl-id <network-acl-id>


Backout Plan

Using AWS Management Console:

             Sign in to the AWS Management Console.

  • Navigate to VPC > Network ACLs.

  • Identify the NACLs flagged as unused by verifying their association with subnets.

  • If a NACL was mistakenly removed, recreate it:

  • Click Create Network ACL and specify the required settings.

  • Reassociate the recreated NACL with the appropriate subnets.

  • Confirm the configurations and verify traffic flow.


Using AWS CLI:

List all NACLs and their associations to subnets:

aws ec2 describe-network-acls

If an unused NACL was mistakenly deleted, recreate it using this command:

aws ec2 create-network-acl \
--vpc-id <vpc-id>

Reassociate the NACL with the appropriate subnet:

aws ec2 associate-network-acl \
--network-acl-id <network-acl-id> \
--subnet-id <subnet-id>

Verify the associations and configurations:

aws ec2 describe-network-acls

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like removing unused NACLs to reduce risks.