diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7cba568..559c653 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -400,3 +400,7 @@
   - tag-shared-vpc-resources
     - use awscc provider to get network acl vs null resource
  
+* 2.10.1 -- 2024-07-09
+  - tag-shared-vpc-resources
+    - fix to use aws_ resource to get network_acls (awscc_ does not have filter) to only include from network account
+ 
diff --git a/common/version.tf b/common/version.tf
index 9bfe1c9..7a37459 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.10.0"
+  _module_version = "2.10.1"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
index 89fedf7..eff3c76 100644
--- a/tag-shared-vpc-resources/README.md
+++ b/tag-shared-vpc-resources/README.md
@@ -380,7 +380,6 @@ COMMAND tf-directory-setup.py -l s3
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
 | <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 5.0 |
-| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | >= 1.0 |
 | <a name="provider_awscc.network_account"></a> [awscc.network\_account](#provider\_awscc.network\_account) | >= 1.0 |
 
 ## Modules
@@ -405,6 +404,7 @@ No modules.
 | [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_transit_gateway.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_network_acls.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_route_table.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_route_tables.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
@@ -414,7 +414,6 @@ No modules.
 | [aws_vpc_dhcp_options.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_dhcp_options) | data source |
 | [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
 | [awscc_ec2_network_acl.nacls](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/data-sources/ec2_network_acl) | data source |
-| [awscc_ec2_network_acls.nacls](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/data-sources/ec2_network_acls) | data source |
 
 ## Inputs
 
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
index c2eb481..5f7ae75 100644
--- a/tag-shared-vpc-resources/tag-network-acls.tf
+++ b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -1,26 +1,33 @@
-data "awscc_ec2_network_acls" "nacls" {
+# this only gets ids, no other details such as owner, which we need to avoid local nacls (default not being removed, for example)
+# data "awscc_ec2_network_acls" "nacls" {
+#   count = local._nacl_enabled ? 1 : 0
+# }
+
+# data "awscc_ec2_network_acl" "local_nacls" {
+#   for_each = local._nacl_enabled ? data.awscc_ec2_network_acls.nacls[0].ids : toset([])
+#   id       = each.key
+# }
+
+data "aws_network_acls" "network_acls" {
+  #  for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
   count = local._nacl_enabled ? 1 : 0
+  filter {
+    name   = "owner-id"
+    values = [data.aws_caller_identity.network_account.account_id]
+  }
+  #  filter {
+  #    name   = "vpc-id"
+  #    values = [each.key]
+  #  }
 }
 
 data "awscc_ec2_network_acl" "nacls" {
   provider = awscc.network_account
-  for_each = local._nacl_enabled ? data.awscc_ec2_network_acls.nacls[0].ids : toset([])
+  #  for_each = local._nacl_enabled ? { for k,v in data.awscc_ec2_network_acl.local_nacls : k=>v if v.owner_id==data.aws_caller_identity.network_account.account_id } : {}
+  for_each = local._nacl_enabled ? toset(data.aws_network_acls.network_acls[0].ids) : toset([])
   id       = each.key
 }
 
-# data "aws_network_acls" "network_acls" {
-#   for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
-#   filter {
-#     name   = "owner-id"
-#     values = [data.aws_arn.network_account.account]
-#   }
-#   filter {
-#     name   = "vpc-id"
-#     values = [each.key]
-#   }
-# }
-
-
 ## output "network_acls" {
 ##   value = data.aws_network_acls.network_acls
 ## }