How to Find Unused Network Access Control Lists (ACLs) in AWS

Network ACLs are useful at regulating inbound and outbound traffic at the subnet level, but if network ACLs aren’t associated with a subnet, they just sit idle.

Unused resources in AWS add clutter and unnecessary security risks. By cleaning up unused or redundant network ACLs, you can ensure that your AWS account is well-maintained.

In this guide, we’ll show you how to find and delete unused or redundant network ACLs using the AWS console and CLI.

Blink Automation: Find Unused ACLs in AWS

Blink + AWS

Try This Automation

Finding Unused Network Access Control Lists

Using the AWS Console:

Finding unused ACLs can be accomplished with more than one method. Below, you can find how to navigate AWS to seek out and delete unused entries.

1. Log in to the Amazon Virtual Private Cloud Console.
2. Open the navigation pane in AWS and select an option for Network ACLs. There are two options: the Network ACLs under the resources section. There is another option for Network ACLs under the VPC dashboard panel; it's on the left-hand side of the screen, towards the bottom, under the Security subheading. On the next screen, you’ll see a list of all network ACLs.
3. Select each network ACL to check to see if it is associated with a subnet. Click on the tab at the bottom of the screen that says Subnet Association. If there are no associated subnets, this indicates that the ACL is unused.
4. You can also check for redundant ACLs that share the same associated subnet. If the network ACL is redundant, you can dissociate one of the ACLs from its subnet by editing in the Subnet Associations tab, and then it can be deleted.

Using the AWS CLI:

1. To find out if a network ACL is unused, you can run the following command:

aws ec2 describe-network-acls

You’ll see an output that looks like this: 

{
    "NetworkAcls": [
        {
            "Associations": [
                {
                    "NetworkAclAssociationId": "aclassoc-0c1679dc41EXADEMO",
                    "NetworkAclId": "acl-0ea1f54ca7312DEMO",
                    "SubnetId": "subnet-0931fc2fa5EXAMPLE"
                }
            ],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "Egress": true,
                    "Protocol": "-1",
                    "RuleAction": "allow",
                    "RuleNumber": 100
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "Egress": true,
                    "Protocol": "-1",
                    "RuleAction": "deny",
                    "RuleNumber": 32767
                },
            ],
            "IsDefault": true,
            "NetworkAclId": "acl-0ea1f54ca7312DEMO",
            "Tags": [],
            "VpcId": "vpc-06e4ab6c6cEXAMPLE",
            "OwnerId": "111122223333"
        },
        {
            "Associations": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "Egress": true,
                    "Protocol": "-1",
                    "RuleAction": "allow",
                    "RuleNumber": 100
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "Egress": true,
                    "Protocol": "-1",
                    "RuleAction": "deny",
                    "RuleNumber": 32767
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "Egress": false,
                    "Protocol": "-1",
                    "RuleAction": "deny",
                    "RuleNumber": 32767
                },
            ],
            "IsDefault": true,
            "NetworkAclId": "acl-0e2a78e4e2EXAMPLE",
            "Tags": [],
            "VpcId": "vpc-03914afb3eEXAMPLE",
            "OwnerId": "111122223333"
        }
    ]
}

If you see any ACLs with no associations (shown by the line "Associations": [],”), then you can note the NetworkAclID as an ACL that is unused and can be deleted.

Deleting Unused Network ACLs

Using the Console:

1. In the Amazon VPC console, choose Network ACLs in the navigation pane.
2. Go through each network ACL by choosing the list of entries that are unused or redundant. For those not associated with a subnet, select it and press Delete.
3. A confirmation box will appear, asking if you want to delete the NACL. Select the confirmation that says Yes.
4. Return to the list of network ACLs. Repeat this process and delete each NACL not associated with a subnet.

Using the AWS CLI:

It is not possible to delete a network ACL if it is associated with a subnet; it’s also not possible to delete the default network ACL. However, if you find a network ACL that is not associated with a subnet, delete it by running the following command:

aws ec2 delete-network-acl --network-acl-id <unused-ACL-ID>

Repeat this process for all unused or redundant ACLs.

You won’t see any output from these commands. To confirm that you have successfully deleted them, you can run the describe-network-acls command again.

Automatically Removing Unused Network ACLs with Blink

Manually finding unused ACLs isn’t hard, but it requires you to context-switch and either click through the console or run CLI commands. There’s an easier way to manage your resources and ensure a clean AWS account.

With Blink, there’s an easier way to manage all of your resources and ensure a clean AWS account.

This automation in the Blink library scans your AWS account for unused ACLs and Security Groups.

When the automation runs, it does the following steps:

1. Queries AWS for all unused Security Groups.
2. Queries AWS for all unused ACLs.
3. If any are found, it sends a report to a Slack channel.

You can also customize this automation by dragging and dropping no-code actions into the canvas to add conditional logic, notifications, or approval steps.

Build your own automation from scratch or use one of our 5K pre-built automations like this one today.

Start a free trial of Blink today or schedule time with us to see more.