🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 16 Unused network access control lists should be removed

Description

This control checks whether there are any unused network access control lists (ACLs).

The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL.

If the only relationship is the VPC of the network ACL, then the control fails.

Remediation

For instructions on how to delete an unused network ACL, see Delete a network ACL.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_16 --share

SQL

This control uses a named query:

select
  network_acl_id as resource,
  case
    when jsonb_array_length(associations) >= 1  then 'ok'
    else 'alarm'
  end status,
  case
    when jsonb_array_length(associations) >= 1 then title || ' associated with subnet.'
    else title || ' not associated with subnet.'
  end reason
  
  , region, account_id
from
  aws_vpc_network_acl;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_16
plugin = aws
service = AWS/EC2