v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_vpc_network_acl - Query AWS VPC Network ACL using SQL

The AWS VPC Network ACL is a security layer that controls traffic in and out of a Virtual Private Cloud (VPC). It operates at the subnet level and evaluates traffic based on defined rules in a numbered list. This Network Access Control List (ACL) provides an additional line of defense for your VPC and can be customized to fit your security needs.

Table Usage Guide

The aws_vpc_network_acl table in Steampipe provides you with information about Network Access Control Lists (ACLs) within Amazon Virtual Private Cloud (VPC). This table allows you, as a DevOps engineer, security analyst, or system administrator, to query ACL-specific details, including rules, associations, and related metadata. You can utilize this table to gather insights on ACLs, such as rule configurations, associated subnets, and more. The schema outlines the various attributes of the Network ACL for you, including the ACL ID, VPC ID, default status, and associated tags.

Examples

List the attached VPC IDs for each network ACL

Explore which network access control lists (ACLs) are associated with each virtual private cloud (VPC) in your AWS environment. This can help you manage and monitor your network security by identifying the VPCs that are linked to each ACL.

select
  network_acl_id,
  arn,
  vpc_id
from
  aws_vpc_network_acl;
select
  network_acl_id,
  arn,
  vpc_id
from
  aws_vpc_network_acl;

List the default NACL associated with the VPCs

Determine the areas in which the default Network Access Control List (NACL) is associated with the Virtual Private Clouds (VPCs). This is useful to understand the default security settings of your network resources in AWS.

select
  network_acl_id,
  vpc_id,
  is_default
from
  aws_vpc_network_acl
where
  is_default = true;
select
  network_acl_id,
  vpc_id,
  is_default
from
  aws_vpc_network_acl
where
  is_default = 1;

Subnet associated with each network ACL

Determine the areas in which each network access control list (ACL) is associated with a specific subnet. This is useful for understanding your network's security configuration and identifying any potential vulnerabilities or misconfigurations.

select
  network_acl_id,
  vpc_id,
  association ->> 'SubnetId' as subnet_id,
  association ->> 'NetworkAclAssociationId' as network_acl_association_id
from
  aws_vpc_network_acl
  cross join jsonb_array_elements(associations) as association;
select
  network_acl_id,
  vpc_id,
  json_extract(association.value, '$.SubnetId') as subnet_id,
  json_extract(association.value, '$.NetworkAclAssociationId') as network_acl_association_id
from
  aws_vpc_network_acl,
  json_each(associations) as association;

Query examples

Control examples

Schema for aws_vpc_network_acl

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) specifying the network ACL.
associationsjsonbAny associations between the network ACL and one or more subnets.
entriesjsonbOne or more entries (rules) in the network ACL.
is_defaultboolean=, !=Indicates whether this is the default network ACL for the VPC.
network_acl_idtext=The ID of the network ACL.
owner_idtext=The ID of the AWS account that owns the network ACL.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags that are attached to Network ACL.
titletextTitle of the resource.
vpc_idtext=The ID of the VPC for the network ACL.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_vpc_network_acl