diff --git a/builtin/providers/aws/network_acl_entry.go b/builtin/providers/aws/network_acl_entry.go
index bf53e30b2..3d267dcc8 100644
--- a/builtin/providers/aws/network_acl_entry.go
+++ b/builtin/providers/aws/network_acl_entry.go
@@ -2,12 +2,18 @@ package aws
 
 import (
 	"github.com/mitchellh/goamz/ec2"
+	"fmt"
 )
 
-func expandNetworkAclEntries(configured []interface{}, entryType string) []ec2.NetworkAclEntry {
+func expandNetworkAclEntries(configured []interface{}, entryType string) ([]ec2.NetworkAclEntry, error) {
 	entries := make([]ec2.NetworkAclEntry, 0, len(configured))
 	for _, eRaw := range configured {
 		data := eRaw.(map[string]interface{})
+		protocol := data["protocol"].(string)
+		_, ok := protocolIntegers()[protocol]
+		if(!ok){
+			return nil, fmt.Errorf("Invalid Protocol %s for rule %#v", protocol, data)
+		}
 		p := extractProtocolInteger(data["protocol"].(string))
 		e := ec2.NetworkAclEntry{
 			Protocol: p,
@@ -23,7 +29,7 @@ func expandNetworkAclEntries(configured []interface{}, entryType string) []ec2.N
 		entries = append(entries, e)
 	}
 
-	return entries
+	return entries, nil
 
 }
 
@@ -63,6 +69,7 @@ func protocolIntegers() map[string]int {
 		"udp":  17,
 		"tcp":  6,
 		"icmp": 1,
+		"all": -1,
 	}
 	return protocolIntegers
 }
diff --git a/builtin/providers/aws/network_acl_entry_test.go b/builtin/providers/aws/network_acl_entry_test.go
index 0cf412dfd..a2d60abb8 100644
--- a/builtin/providers/aws/network_acl_entry_test.go
+++ b/builtin/providers/aws/network_acl_entry_test.go
@@ -26,7 +26,7 @@ func Test_expandNetworkAclEntry(t *testing.T) {
 			"rule_no":    2,
 		},
 	}
-	expanded := expandNetworkAclEntries(input, "egress")
+	expanded, _ := expandNetworkAclEntries(input, "egress")
 
 	expected := []ec2.NetworkAclEntry{
 		ec2.NetworkAclEntry{
diff --git a/builtin/providers/aws/resource_aws_network_acl.go b/builtin/providers/aws/resource_aws_network_acl.go
index c26bf5f19..11c448da8 100644
--- a/builtin/providers/aws/resource_aws_network_acl.go
+++ b/builtin/providers/aws/resource_aws_network_acl.go
@@ -211,8 +211,11 @@ func updateNetworkAclEntries(d *schema.ResourceData, entryType string, ec2conn *
 
 	os := o.(*schema.Set)
 	ns := n.(*schema.Set)
-	toBeDeleted := expandNetworkAclEntries(os.Difference(ns).List(), entryType)
-	toBeCreated := expandNetworkAclEntries(ns.Difference(os).List(), entryType)
+	
+	toBeDeleted, err := expandNetworkAclEntries(os.Difference(ns).List(), entryType)
+	if(err != nil){
+		return err
+	}
 	for _, remove := range toBeDeleted {
 		// Delete old Acl
 		_, err := ec2conn.DeleteNetworkAclEntry(d.Id(), remove.RuleNumber, remove.Egress)
@@ -221,6 +224,10 @@ func updateNetworkAclEntries(d *schema.ResourceData, entryType string, ec2conn *
 		}
 	}
 
+	toBeCreated, err := expandNetworkAclEntries(ns.Difference(os).List(), entryType)
+	if(err != nil){
+		return err
+	}
 	for _, add := range toBeCreated {
 		// Add new Acl entry
 		_, err := ec2conn.CreateNetworkAclEntry(d.Id(), &add)