Idle ACL Check
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
vpc-acl-unused-check |
|
Identifier |
Idle ACL Check |
|
Description |
If a network ACL is not associated to any subnets, this ACL is non-compliant. |
|
Tag |
vpc |
|
Trigger Type |
Configuration change |
|
Filter Type |
vpc.firewallGroups |
|
Rule Parameters |
None |
Application Scenarios
A network ACL is an optional layer of security for your subnets. After you add inbound and outbound rules to a network ACL and associate subnets with it, you can control traffic in and out of the subnets. For details, see Network ACL. Properly managing network ACLs can help you solve the following problems:
- If an ACL is created but not associated with any subnet, the rules will not take effect, and the subnet traffic will not be controlled.
- An unassociated network ACL may contain loose rules (for example, allowing any IP address to access sensitive ports). If the network ACL is maliciously associated with a subnet, there will be security vulnerabilities.
- Although network ACLs are not billed, managing redundant resources will increase O&M costs (such as manual maintenance workload and monitoring tool costs).
Solution
Check your network ACLs. If the network ACL is no longer required, delete it. If the network ACL is still required, associate a subnet with the network ACL. For details, see Deleting a Network ACL and Associating Subnets with a Network ACL.
Rule Logic
- If a network ACL is not associated to any subnets, this network ACL is non-compliant.
- If a network ACL is associated to subnets, this network ACL is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
