The ACL will be processed from top to bottom, and each packet will be subject to the rules defined. Once a packet matches a rule in the ACL, it will not be processed further.
Creating your ACL
By default, ACLs will have an explicit allow. If you prefer to configure your lists with an explicit deny, you can do so by making the bottom rule a "Deny - any - any" rule. Do note that in order to prevent cloud connectivity problems, the cloud IPs, ports and protocols have been added to the ACL by default.
By default, switches will have an explicit allow rule. Some may be more familiar with building an ACL that has an explicit deny rule. This can be achieved by manually creating a Deny any/any rule.