Open menu
-->

AWS VPC Best Practices

AWS Virtual Private Cloud (VPC) provides you with an isolated section within the AWS cloud to launch resources in a virtual network tailored to your organization.



AWS Virtual Private Cloud (VPC) provides you with an isolated section within the AWS cloud to launch resources in a virtual network tailored to your organization. Implementing a VPC provides you with complete control of your virtual network, including configuration of network gateways and route tables, and the ability to select your IP range. Using a virtual private cloud adds another layer of security for your infrastructure, for example, by defining which resources within your AWS account have access to the internet.

Cloud Conformity checks Amazon Virtual Private Cloud (VPC) service according to the following rules:

Allocate Elastic IPs for NAT Gateways
Ensure Elastic IPs for NAT gateways are allocated.

Create App-Tier VPC Subnets
Ensure subnets for the app tier are created.

Create Data-Tier VPC Subnets
Ensure subnets for the data tier are created.

Default VPC In Use
Ensure AWS default Virtual Private Cloud (VPC) is not being used.

Unused VPC Internet Gateways
Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.

Use Managed NAT Gateway for AWS VPC
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA).

Create NAT Gateways in at Least Two Availability Zones
Ensure NAT gateways are created in at least two Availability Zones.

Ineffective Network ACL DENY Rules
Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration.

Unrestricted Network ACL Inbound Traffic
Ensure no Amazon Network ACL allows inbound/ingress traffic from all ports.

Unrestricted Network ACL Outbound Traffic
Ensure no Amazon Network ACL allows outbound/egress traffic to all ports.

Create Route Table for Private Subnets
Ensure a route table for the private subnets is created.

Create Route Table for Public Subnets
Ensure a route table for the public subnets is created.

Enable Flow Logs for VPC Subnets
Ensure that the Flow Logs feature is enabled for your Amazon VPC subnets.

VPC Endpoint Unknown Cross Account Access
Ensure Amazon VPC endpoints do not allow unknown cross account access.

AWS VPC Exposed Endpoints
Ensure Amazon VPC endpoints are not exposed to everyone.

VPC Endpoints In Use
Ensure VPC endpoints are being used to connect your VPC to another AWS service.

Enable AWS VPC Flow Logs
Ensure Virtual Private Cloud (VPC) Flow Logs feature is enabled in all applicable AWS regions.

Virtual Private Cloud Naming Conventions
Ensure AWS VPCs are using proper naming conventions to follow AWS tagging best practices.

AWS VPC Peering Connection Configuration
Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy.

AWS VPN Tunnel Redundancy
Ensure AWS VPNs have always two tunnels active in order to enable redundancy.

AWS VPN Tunnel State
Ensure the state of your AWS Virtual Private Network (VPN) tunnels is UP

Unused Virtual Private Gateways
Ensure unused Virtual Private Gateways (VGWs) are removed to follow best practices.

Create Web-Tier ELB Subnets
Ensure subnets for the web-tier ELBs are created.

Create Web-Tier VPC Subnets
Ensure subnets for the web tier are created.