Unused Network Access Control Lists Should be Removed Rule
Guideline specifying removal of unused network access control lists to enhance security measures.
| Rule | Unused network access control lists should be removed |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Low |
Rule Description
This rule prompts the removal of unused network access control lists (NACLs) in the context of AWS Foundational Security Best Practices. Network Access Control Lists act as a virtual firewall for controlling inbound and outbound traffic at the subnet level. Unused NACLs can pose potential security risks, as they may contain outdated or misconfigured rules.
Impact
Leaving unused NACLs in your AWS environment can lead to confusion, mismanagement, and potential security vulnerabilities. Removing unused NACLs ensures a more streamlined and secure network infrastructure.
Troubleshooting Steps (if applicable)
If there are any troubleshooting steps associated with this rule, they will be specified below:
- 1.
Identify unused NACLs: The first step is to identify any NACLs that are no longer in use. This can be done by examining the network architecture, reviewing security group rules, and consulting with the relevant teams or stakeholders.
- 2.
Review existing rules: Once the unused NACLs have been identified, review their existing rules and evaluate their necessity. Ensure that all rules align with the current security requirements and adhere to the principle of least privilege.
- 3.
Coordinate with stakeholders: Communicate with the appropriate stakeholders, such as the network team or application owners, to determine if any rules can be consolidated or removed entirely.
- 4.
Backup and documentation: Before making any changes, backup the existing NACL configurations and document the reasoning behind the changes being made. This documentation will serve as a reference for future audits and troubleshooting purposes.
- 5.
Implement rule changes: Remove the unused NACLs from your AWS environment, ensuring that the associated subnets are properly associated with the appropriate active NACLs. Update the network architecture diagrams and associated documentation with the changes made.
Necessary codes (if applicable)
This section will provide any necessary codes required for removing unused NACLs. However, since AWS configuration and management vary based on individual environments, it is recommended to consult AWS documentation for specific code examples.
Example:
aws ec2 delete-network-acl --network-acl-id <network-acl-id>
Step-by-Step Guide for Remediation
To remediate the issue of unused network access control lists (NACLs), follow the step-by-step guide below:
- 1.
Identify unused NACLs:
- Review the network architecture and locate NACLs that are not associated with any subnets.
- Consult with relevant teams or stakeholders to confirm which NACLs are no longer needed.
- 2.
Review existing rules:
- Evaluate the rules of each unused NACL and ensure they align with current security requirements.
- Identify any rules that are outdated, unnecessary, or violate the principle of least privilege.
- 3.
Coordinate with stakeholders:
- Communicate with the network team, application owners, or other stakeholders to discuss the removal of unused NACLs.
- Determine if any rules can be consolidated or migrated to active NACLs.
- 4.
Backup and documentation:
- Backup the existing NACL configurations before making any changes.
- Document the reasoning behind removing the unused NACLs for future reference.
- 5.
Implement rule changes:
- Using the appropriate AWS management console, CLI, or SDK, remove the unused NACLs. Replace them with active NACLs, if necessary.
- Verify that the associated subnets are properly associated with the active NACLs.
- Update the network architecture diagrams and associated documentation to reflect the changes made.
- 6.
Validate the changes:
- Test the network connectivity and ensure that the removal of unused NACLs does not disrupt any desired network traffic.
- Monitor the network for any abnormalities or issues.
By following this guide, you can successfully remediate the issue of unused network access control lists (NACLs) in line with AWS Foundational Security Best Practices.