Skip to main content

Unused Network Access Control Lists Should Be Removed

Overview

This check identifies non-default Network ACLs (NACLs) in your VPC that are not associated with any subnet. Removing unused NACLs helps keep your infrastructure clean and reduces confusion during security reviews.

Note: This check does not flag unused default Network ACLs, only custom ones you have created.

Risk

Unused Network ACLs pose a low but real security risk:

  • Accidental misassociation: Someone could mistakenly associate a permissive unused NACL with a production subnet, exposing workloads
  • Infrastructure drift: Stale resources make security audits harder and obscure the true state of your environment
  • Overly restrictive surprises: An unused NACL with strict rules could unexpectedly block traffic if associated later

Remediation Steps

Prerequisites

  • AWS Console access with permissions to view and delete Network ACLs
  • Alternatively, AWS CLI configured with appropriate credentials

AWS Console Method

  1. Open the VPC Console
  2. In the left navigation, click Network ACLs
  3. Look for Network ACLs where the Associated with column shows 0 subnets
  4. Select the unused Network ACL (make sure it is not the default NACL)
  5. Click Actions > Delete network ACL
  6. Confirm the deletion by clicking Delete

Alternative: Keep the NACL but associate it with a subnet

If you want to retain the NACL for future use:

  1. Select the unused Network ACL
  2. Click Actions > Edit subnet associations
  3. Check the box next to the subnet(s) you want to associate
  4. Click Save changes
AWS CLI Method

Find Unused Network ACLs

List all non-default Network ACLs that have no subnet associations:

aws ec2 describe-network-acls \
    --region us-east-1 \
    --query "NetworkAcls[?!IsDefault && length(Associations)==\`0\`].[NetworkAclId,VpcId,Tags[?Key=='Name'].Value|[0]]" \
    --output table

Delete an Unused Network ACL

Once you have identified the NACL ID to remove:

aws ec2 delete-network-acl \
    --region us-east-1 \
    --network-acl-id <nacl-id>

Replace <nacl-id> with the actual Network ACL ID (e.g., acl-0123456789abcdef0).

Note: You cannot delete a Network ACL that is currently associated with a subnet. You also cannot delete the default Network ACL.

Terraform (Associate NACL Instead of Deleting)

If you manage your infrastructure with Terraform and want to associate an unused Network ACL with a subnet rather than delete it:

resource "aws_network_acl_association" "example" {
  subnet_id      = "subnet-12345678"
  network_acl_id = "acl-12345678"
}

Replace the placeholder IDs with your actual subnet and Network ACL IDs.

To remove a Network ACL entirely in Terraform, simply remove the aws_network_acl resource from your configuration and run terraform apply.

Verification

After remediation, verify the fix:

Console: Return to the Network ACLs page and confirm the unused NACL no longer appears, or that it now shows subnet associations.

CLI Verification

Run Prowler again to confirm the check passes:

prowler aws --checks ec2_networkacl_unused

Or verify directly with AWS CLI:

aws ec2 describe-network-acls \
    --region us-east-1 \
    --query "NetworkAcls[?!IsDefault && length(Associations)==\`0\`].NetworkAclId" \
    --output text

An empty result means no unused non-default Network ACLs remain.

Additional Resources

Notes

  • Default Network ACLs cannot be deleted. Every VPC has a default NACL that cannot be removed. This check only flags custom (non-default) NACLs.
  • Consider tagging before deleting. If you are unsure why a NACL exists, add a tag with owner and purpose information, or check with your team before deletion.
  • Low severity does not mean ignore. While this is a low-severity finding, cleaning up unused resources is a good hygiene practice that simplifies security reviews.