---
title: AWS Network Access Control List created or modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS Network Access Control List created
  or modified
---

# AWS Network Access Control List created or modified
Classification:complianceTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562)Framework:cis-awsControl:4.11 
## Goal{% #goal %}

Detect when an AWS Network Access Control List (NACL) has been created, deleted or modified.

## Strategy{% #strategy %}

This rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:

- [CreateNetworkAcl](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html)
- [CreateNetworkAclEntry](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html)
- [DeleteNetworkAcl](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html)
- [DeleteNetworkAclEntry](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html)
- [ReplaceNetworkAclEntry](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html)
- [ReplaceNetworkAclAssociation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html)

## Triage and response{% #triage-and-response %}

1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.
1. Contact the user and see if this API call was made by the user.
1. If the API call was not made by the user:
   - Rotate the user credentials and investigate what other API calls.
   - Determine what other API calls the user made which were not made by the user.

## Changelog{% #changelog %}

5 April 2022 - Updated Rule queries, cases and signal message.