Skip to main content


Network Access Control Lists (ACL) do not allow unrestricted inbound traffic


This policy may trigger an alert if you have completed an Agentless Workload Scanning integration for AWS using CloudFormation. See Alerts Triggering for lacework-global-87 and lacework-global-145 after Deployment for details.


A Network ACL acts as a stateless, virtual firewall that controls traffic at the subnet level. The default Network ACL associated with a Virtual Private Cloud (VPC) allows all inbound and outbound traffic. For security purposes, best practices recommend restricting inbound Network ACLs.


  1. Log in to the AWS Management Console.
  2. Select Services.
  3. Select VPC.
  4. Select Network ACLs.
  5. Select the Network ACL to edit.
  6. Select Edit inbound rules.
  7. For each rule, restrict access to only the appropriate port or port range.
  8. Select Save changes.