Skip to main content

NACL Change

This alert occurs when Lacework detects an AWS network ACL change.

Why this Alert is Important

The AWS Network Access Control List (NACL) plays an important part in limiting the extent to which your AWS instances are exposed. NACLs, however, are stateless. For example, if you change an inbound rule, then you must ensure that you change the outbound rule also. Unauthorized modification to the NACL can give attackers access to your AWS instance’s interfaces.

Investigation

Ensure that all changes to NACLs are audited and made only by authorized personnel. Search for rules that allow access to unknown IP addresses. Check for anomalies in changes made to the NACL list.

Resolution

Revert all NACL changes that are not necessary. Use a common template to make changes. Follow the principle of least privilege.

https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html