Table: aws_vpc_network_acl - Query AWS VPC Network ACL using SQL
The AWS VPC Network ACL is a security layer that controls traffic in and out of a Virtual Private Cloud (VPC). It operates at the subnet level and evaluates traffic based on defined rules in a numbered list. This Network Access Control List (ACL) provides an additional line of defense for your VPC and can be customized to fit your security needs.
Table Usage Guide
The aws_vpc_network_acl
table in Steampipe provides you with information about Network Access Control Lists (ACLs) within Amazon Virtual Private Cloud (VPC). This table allows you, as a DevOps engineer, security analyst, or system administrator, to query ACL-specific details, including rules, associations, and related metadata. You can utilize this table to gather insights on ACLs, such as rule configurations, associated subnets, and more. The schema outlines the various attributes of the Network ACL for you, including the ACL ID, VPC ID, default status, and associated tags.
Examples
List the attached VPC IDs for each network ACL
Explore which network access control lists (ACLs) are associated with each virtual private cloud (VPC) in your AWS environment. This can help you manage and monitor your network security by identifying the VPCs that are linked to each ACL.
select network_acl_id, arn, vpc_idfrom aws_vpc_network_acl;
select network_acl_id, arn, vpc_idfrom aws_vpc_network_acl;
List the default NACL associated with the VPCs
Determine the areas in which the default Network Access Control List (NACL) is associated with the Virtual Private Clouds (VPCs). This is useful to understand the default security settings of your network resources in AWS.
select network_acl_id, vpc_id, is_defaultfrom aws_vpc_network_aclwhere is_default = true;
select network_acl_id, vpc_id, is_defaultfrom aws_vpc_network_aclwhere is_default = 1;
Subnet associated with each network ACL
Determine the areas in which each network access control list (ACL) is associated with a specific subnet. This is useful for understanding your network's security configuration and identifying any potential vulnerabilities or misconfigurations.
select network_acl_id, vpc_id, association ->> 'SubnetId' as subnet_id, association ->> 'NetworkAclAssociationId' as network_acl_association_idfrom aws_vpc_network_acl cross join jsonb_array_elements(associations) as association;
select network_acl_id, vpc_id, json_extract(association.value, '$.SubnetId') as subnet_id, json_extract(association.value, '$.NetworkAclAssociationId') as network_acl_association_idfrom aws_vpc_network_acl, json_each(associations) as association;
Schema for aws_vpc_network_acl
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) specifying the network ACL. | |
associations | jsonb | Any associations between the network ACL and one or more subnets. | |
entries | jsonb | One or more entries (rules) in the network ACL. | |
is_default | boolean | =, != | Indicates whether this is the default network ACL for the VPC. |
network_acl_id | text | = | The ID of the network ACL. |
owner_id | text | = | The ID of the AWS account that owns the network ACL. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags that are attached to Network ACL. | |
title | text | Title of the resource. | |
vpc_id | text | = | The ID of the VPC for the network ACL. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_vpc_network_acl