How to Find Unused AWS Network Access Control Lists (ACLs)
Reduce security risks by finding and deleting unused AWS Network ACLs. Learn how to locate them using AWS tools.
Patrick Londa
Author
Feb 26, 2023
•
4
min read
Share this post
Network ACLs are useful at regulating inbound and outbound traffic at the subnet level, but if network ACLs aren’t associated with a subnet, they just sit idle.
Unused resources in AWS add clutter and unnecessary security risks. By cleaning up unused or redundant network ACLs, you can ensure that your AWS account is well-maintained.
In this guide, we’ll show you how to find and delete unused or redundant network ACLs using the AWS console and CLI.
Open the navigation pane in AWS and select an option for Network ACLs. There are two options: the Network ACLs under the resources section. There is another option for Network ACLs under the VPC dashboard panel; it's on the left-hand side of the screen, towards the bottom, under the Security subheading. On the next screen, you’ll see a list of all network ACLs.
Select each network ACL to check to see if it is associated with a subnet. Click on the tab at the bottom of the screen that says Subnet Association. If there are no associated subnets, this indicates that the ACL is unused.
You can also check for redundant ACLs that share the same associated subnet. If the network ACL is redundant, you can dissociate one of the ACLs from its subnet by editing in the Subnet Associations tab, and then it can be deleted.
If you see any ACLs with no associations (shown by the line "Associations": [],”), then you can note the NetworkAclID as an ACL that is unused and can be deleted.
Go through each network ACL by choosing the list of entries that are unused or redundant. For those not associated with a subnet, select it and press Delete.
A confirmation box will appear, asking if you want to delete the NACL. Select the confirmation that says Yes.
Return to the list of network ACLs. Repeat this process and delete each NACL not associated with a subnet.
Using the AWS CLI:
It is not possible to delete a network ACL if it is associated with a subnet; it’s also not possible to delete the default network ACL. However, if you find a network ACL that is not associated with a subnet, delete it by running the following command:
Repeat this process for all unused or redundant ACLs.
You won’t see any output from these commands. To confirm that you have successfully deleted them, you can run the describe-network-acls command again.
Automatically Removing Unused Network ACLs with Blink
Manually finding unused ACLs isn’t hard, but it requires you to context-switch and either click through the console or run CLI commands. There’s an easier way to manage your resources and ensure a clean AWS account.
With Blink, there’s an easier way to manage all of your resources and ensure a clean AWS account.
This automation in the Blink library scans your AWS account for unused ACLs and Security Groups.
When the automation runs, it does the following steps:
Queries AWS for all unused Security Groups.
Queries AWS for all unused ACLs.
If any are found, it sends a report to a Slack channel.
You can also customize this automation by dragging and dropping no-code actions into the canvas to add conditional logic, notifications, or approval steps.
Build your own automation from scratch or use one of our 5K pre-built automations like this one today.