Unrestricted NACL

AWS-VPC-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for non-default Network ACLs that allow all inbound traffic from 0.0.0.0/0 or ::/0.

Why it matters

Network ACLs provide stateless subnet-level filtering that acts as a second layer of defense behind security groups. When a custom NACL allows all inbound traffic (rule allowing 0.0.0.0/0 on all protocols), it provides no defense-in-depth value. In a defense-in-depth architecture, NACLs should block known malicious IP ranges and restrict traffic to expected protocols even if security groups are misconfigured. AWS Security Best Practices recommend using NACLs to deny traffic from specific CIDR blocks and limit allowed protocols at the subnet boundary. This is especially important for public subnets where a misconfigured security group could expose services directly to the internet without any network-level backstop.

Common causes

Unrestricted NACLs happen because teams create custom NACLs to replace the default but copy the allow-all rules as a starting point and never refine them. Engineers unfamiliar with stateless NACL behavior add broad allow rules to avoid breaking return traffic, effectively making the NACL permissive. Some teams treat security groups as the only network filter and configure NACLs as pass-through, missing the defense-in-depth opportunity.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 replace-network-acl-entry --network-acl-id NACL_ID --rule-number 100 --protocol -1 --rule-action deny --ingress --cidr-block 0.0.0.0/0 --region REGION

Remediation: Terraform

resource "aws_network_acl_rule" "restrict_inbound" {
  network_acl_id = "acl-xxx"
  rule_number    = 100
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "10.0.0.0/8"
  from_port      = 443
  to_port        = 443
}