NACL Change
This alert occurs when Lacework detects an AWS network ACL change.
Why this Alert is Important
The AWS Network Access Control List (NACL) plays an important part in limiting the extent to which your AWS instances are exposed. NACLs, however, are stateless. For example, if you change an inbound rule, then you must ensure that you change the outbound rule also. Unauthorized modification to the NACL can give attackers access to your AWS instance’s interfaces.
Investigation
Ensure that all changes to NACLs are audited and made only by authorized personnel. Search for rules that allow access to unknown IP addresses. Check for anomalies in changes made to the NACL list.
Resolution
Revert all NACL changes that are not necessary. Use a common template to make changes. Follow the principle of least privilege.