Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Forgotten NACL

Max room.

Security groups protect instances. NACLs protect subnets. This one was forgotten.

medium

45 min

2

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

The deployment goes smoothly. Security groups are set on every instance - ports scoped, source locked down. Everything looks right. What nobody checked were the network ACLs, and now the subnet boundary is wide open.

Network Access Control Lists (NACLs) operate at the subnet level - a layer above security groups. They are stateless, meaning both inbound and outbound traffic must be explicitly allowed, including return traffic on ephemeral ports. They evaluate rules in numbered order, and the first match wins. Unlike security groups, NACLs can explicitly deny traffic, making them a powerful coarse-grained perimeter around an entire subnet.

creates a default for every that allows all traffic in all directions. Most teams never replace it. The result is that the subnet boundary provides zero additional filtering - if a security group rule is misconfigured, the traffic passes straight through without a second checkpoint.

In this room, you will investigate a where both subnets use the default , understand the associated risks, remediate them with custom NACLs, and build proper subnet-level network controls from scratch.

Learning Objectives

  • Understand how NACLs differ from security groups: stateless vs stateful, subnet-level vs instance-level, rule ordering, and explicit deny capability
  • Identify when a subnet is using the default "allow all" instead of a custom, scoped one
  • Explain why the default provides no meaningful defense-in-depth alongside security groups
  • Create custom NACLs with scoped inbound and outbound rules, including correct ephemeral port handling
  • Design a layered network security model that uses NACLs as the subnet perimeter and security groups as the instance
  • Verify configurations using the

Prerequisites

Answer the questions below

It's NACL Day. Again.