If you have been working with VPCs for any length of time then you would have come across AWS Network Access Control Lists, also known as NACLs, and these can be considered a way of authorizing network packets to enter and leave different parts of your VPC.  Operating the Network layer,  NACLs provide a rule-based security feature for permitting ingress and egress network traffic at the protocol and subnet level. In other words, ACLs monitor and filter traffic moving in and out of your subnet, either allowing or denying access dependent on rule permissions. 

NACLs can be attached to one or more subnets within your virtual private cloud. If you haven't created a custom NACL, then your subnets will automatically be associated with your VPC's default NACL, and in this instance, the default allows all traffic to flow in and out of the network, as opposed to denying it.

The rule set itself is very simple, and has both an inbound and outbound list of rules, and these rules are comprised of just six different fields; these being 

1. Rule Number: ACL rules are read in ascending order, and as soon as a network packet is received, it reads each rule in ascending order until a match is found. For this reason, you'll want to carefully sequence your rules with an organized numbering system. I would suggest that you leave a gap of at least 50 between each of your rules to allow you to easily add new rules in sequence later if it becomes necessary. 
2. Type: this dropdown list allows you to select from a list of common protocol types, including SSH, RDP, HTTP, and POP3. You can alternatively specify custom protocols, such as varieties of ICMP. 
3. Protocol: based on your choice of ‘Type’, the protocol option might be grayed out. For custom rules like TCP and UDP, however, you should provide a value. 
4. Port Range: If you create a custom rule, you'll need to specify the port range for the protocol to use. 
5. Source: this can be a net or a subnet range, a specific IP address, or even left open to traffic from anywhere. 
6. Allow/Deny: Each rule must include an action specifying whether to Allow or Deny the traffic that meets the parameters of the rule.

So NACLs are not used to authorize an identity as such, instead, they are used to effectively authorize the network packet itself to enter or leave a specific subnet. It's important to note that NACLs are stateless. Therefore, when creating your rules, you'll need to apply an outbound reply rule to permit responses to inbound requests.