Open menu
-->

Default VPC In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices. A default Virtual Private Cloud is a logically isolated virtual network created automatically for your AWS account the first time you provision Amazon EC2 resources. A default VPC is suitable for getting started quickly, however, when you deploy complex applications and use multi-tier architectures you may need to keep parts of your network private or customize the network model, therefore it is recommended to create a non-default VPC that suits your specific requirements.

A default Virtual Private Cloud is designed in such a way that you can quickly deploy AWS resources and not have to think about the underlying network. The default VPC comes with a default configuration that would not meet all security best practices, hence a non-default VPC should not be used for sophisticated AWS cloud applications.

Audit

To determine if the default Virtual Private Cloud (VPC) is being used within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, choose Your VPCs.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon in the top-right menu.

05 Inside the Show/Hide Columns dialog box, select the Default VPC checkbox then click Close to return to your VPC dashboard.

06 Select the default VPC within the current AWS region by choosing the resource with the Default VPC attribute value set to Yes.

07 Select the Summary tab from the dashboard bottom panel and copy the ID set as value for the VPC ID attribute.

08 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

09 In the navigation panel, under INSTANCES, click Instances.

10 Click inside the Filter by tags and attributes or search by keyword box and select the VPC ID attribute, then paste the VPC ID copied at step no. 7 and press Enter. The filtering process will return only the EC2 instances launched within the default VPC (if any). If the AWS console returns one or more EC2 instances, the default Virtual Private Cloud is currently being used within the selected AWS region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) using custom query filters to return the ID of the default VPC created in the selected AWS region:

aws ec2 describe-vpcs
	--region us-east-1
	--query 'Vpcs[?(IsDefault==`true`)].VpcId | []'

02 The command output should return the requested VPC identifier:

[
    "vpc-1234abcd"
]

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the default VPC returned at the previous step as filter parameter and custom query filters to return the IDs of the EC2 instances running within the selected (default) VPC:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=vpc-id,Values=vpc-1234abcd"
	--query 'Reservations[*].Instances[*].InstanceId[]'

04 The command output should return the identifiers of the EC2 instances launched within the default VPC, otherwise it should return an empty array:

[
    "i-012345678abcdabcd",
    "i-0abcdabcd12345678"
]

If the command output returns an array with one or more instance IDs, as shown in the example above, the default VPC is being used by EC2 resources within the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the audit process for other regions.

Remediation / Resolution

To create a non-default Virtual Private Cloud (VPC) and migrate your custom AWS applications to it, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, choose Your VPCs.

04 Click Create VPC button from the dashboard top menu to initiate the VPC setup process.

05 Inside the Create VPC dialog box, within IPv4 CIDR block box, specify an IPv4 address range for your new VPC as a Classless Inter-Domain Routing (CIDR) block (for example, 10.0.0.0/16). You cannot specify an IPv4 CIDR block larger than /16. Also, you can optionally associate an IPv6 CIDR block with your new VPC by selecting Amazon provided IPv6 CIDR block option from IPv6 CIDR block. Select the type of the tenancy from the Tenancy dropdown list based on your AWS application requirements. Once configured, click Yes, Create to deploy your new and non-default Virtual Private Cloud. The VPC setup wizard will create automatically the required resources (i.e. route tables, subnets, etc) and associate them with the new VPC.

06 Now you can configure your non-default VPC based on your application requirements and migrate the application from the default VPC (see Audit section part I to identify the default VPC in the selected region) to the non-default one.

07 If required, change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-vpc command (OSX/Linux/UNIX) to create a non-default Virtual Private Cloud (VPC) in the selected AWS region. The following command example creates a shared tenancy VPC with the CIDR block 10.0.0.0/16, within the US East (N. Virginia) region:

aws ec2 create-vpc 
	--region us-east-1 
	--cidr-block 10.0.0.0/16

02 The command output should return the new VPC metadata:

{
    "Vpc": {
        "VpcId": "vpc-12345678",
        "InstanceTenancy": "default",
        "State": "pending",
        "DhcpOptionsId": "dopt-aaaabbbb",
        "CidrBlock": "10.0.0.0/16",
        "IsDefault": false
    } 
}

03 Run create-internet-gateway command (OSX/Linux/UNIX) to create an AWS Internet Gateway (IGW) for use with the newly created VPC (required):

aws ec2 create-internet-gateway 
	--region us-east-1 

04 The command output should return the Internet Gateway metadata (including its ID):

{
    "InternetGateway": {
        "Tags": [],
        "InternetGatewayId": "igw-abcdabcd",
        "Attachments": []
    }
}  

05 Run attach-internet-gateway command (OSX/Linux/UNIX) to attach the new Internet Gateway (IGW) to your non-default VPC created at step no. 1 (the command does not produce an output):

aws ec2 attach-internet-gateway
	--region us-east-1
	--internet-gateway-id igw-abcdabcd
	--vpc-id vpc-12345678

06 Run create-subnet command (OSX/Linux/UNIX) to set up a custom subnet for the new VPC. The necessary AWS resources such as the EC2 instances will be launched within this subnet (required):

aws ec2 create-subnet
	--region us-east-1
	--vpc-id vpc-12345678
	--cidr-block 10.0.1.0/24

07 The command output should return the subnet metadata (including the subnet ID):

{
    "Subnet": {
        "VpcId": "vpc-12345678",
        "CidrBlock": "10.0.1.0/24",
        "State": "pending",
        "AvailabilityZone": "us-east-1b",
        "SubnetId": "subnet-abcd1234",
        "AvailableIpAddressCount": 251
    }
}

08 Run create-route-table command (OSX/Linux/UNIX) to create a route table for your non-default VPC (required):

aws ec2 create-route-table 
	--region us-east-1 --vpc-id vpc-12345678

09 The command output should return the VPC route table metadata (including its ID):

{
    "RouteTable": {
        "Associations": [],
        "RouteTableId": "rtb-aabbccdd",
        "VpcId": "vpc-12345678",
        "PropagatingVgws": [],
        "Tags": [],
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "10.0.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ]
    }
}  

10 Run associate-route-table command (OSX/Linux/UNIX) to associate the VPC subnet created at step no. 6 with the new route table (required):

aws ec2 associate-route-table
	--region us-east-1
	--route-table-id rtb-aabbccdd
	--subnet-id subnet-abcd1234

11 The command output should return the non-default VPC route table association ID:

{
    "AssociationId": "rtbassoc-a1b2c3d4"
}   

12 Run create-route command (OSX/Linux/UNIX) to add a new route within the VPC route table installed earlier (required):

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-aabbccdd
	--destination-cidr-block 0.0.0.0/0
	--gateway-id igw-abcdabcd

13 The command output should return the status of request (true for success, an error message if the request fails):

{
    "Return": true
}

14 Now you can configure your non-default VPC based on your application requirements (create custom security groups, private subnets, etc) and migrate the application from the default VPC (see Audit section part II to identify the default VPC in the selected region) to the non-default VPC.

15 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 14 to perform the entire process for other regions.

References

Publication date Sep 10, 2018