Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check Web-Tier ELB Subnet Connectivity to Internet Gateway

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Amazon VPC route table associated with the web-tier load balancer subnets has the default route configured to allow access to an Internet Gateway (IGW) in order to provide internet connectivity for the web-tier load balancer. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the load balancer subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway. This conformity rule assumes that the VPC subnets associated with the web-tier load balancer are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is tag name and <web_tier_tag_value> is the tag value. Before running this rule by the Trend Micro Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

Security

To provide Internet connectivity for your web-tier load balancer, the route table associated with its subnet(s) should be configured to point to the Internet Gateway (IGW) within the VPC network.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.


Audit

To determine if the route table linked to your web-tier load balancer subnets has the default route configured to allow connectivity to the Internet Gateway (IGW), perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check Web-Tier ELB Subnet Connectivity to Internet Gateway conformity rule settings, and identify the tag set defined for the AWS cloud resources created for your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Load Balancing, choose Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>), then press Enter. This filtering technique will return only the load balancers tagged for the web tier. If no results are returned by the console, there are no load balancers tagged within your web tier and the Audit process ends here. If the Amazon EC2 console returns one or more load balancers, continue the Audit with the next step.

06 Select the web-tier load balancer that you want to examine.

07 Choose the Description tab from the console bottom panel to access the resource configuration details.

08 In the Basic Configuration section, identify the ID of the associated VPC subnet available as value for the Availability Zones configuration attribute (i.e. subnet ID - AZ name). Click on the ID (link) of the VPC subnet associated with the selected load balancer. The Amazon EC2 console will redirect you to the Subnets page on the VPC console.

09 Select the associated VPC subnet and choose the Route table tab from the console bottom panel to access the routes configured for the selected subnet. Check the existing routes to determine if the default route (i.e. the route with Destination set to 0.0.0.0/0) is pointing to an Internet Gateway (e.g. igw-12345678). If there is no such route available, the configuration of the selected Amazon VPC subnet is not compliant.

10 Repeat steps no. 8 and 9 to verify the rest of the associated VPC subnets for configured route tables. If none of the verified route tables have a route over the Internet Gateway (i.e. with the destination set to 0.0.0.0/0 and the target set to the VPC's Internet Gateway), there is no connectivity between the VPC subnets associated with the selected web-tier load balancer and the VPC's Internet Gateway (IGW).

11 Repeat steps no. 6 – 10 for each web-tier load balancer returned at step no. 5.

12 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check Web-Tier ELB Subnet Connectivity to Internet Gateway conformity rule settings, and identify the tag set defined for the AWS cloud resources created for your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the names of all the load balancers provisioned in the selected AWS cloud region:

aws elb describe-load-balancers
  --region us-east-1
  --output table
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested resource names:

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|  cc-project5-web-elb  |
|  cc-frontend-web-elb  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected resource:

aws elb describe-tags
  --region us-east-1
  --load-balancer-name cc-project5-web-elb
  --query 'TagDescriptions[*].Tags[]'

05 The describe-tags command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, the verified load balancer is not tagged at all, therefore the Audit process for the selected resource ends here:
    []
    
  2. If the describe-tags command output returns one or more tags different than the one identified at step no. 1, as shown in the example below, the verified load balancer does not belong to your web tier, therefore the Audit process for the selected resource ends here:
    [
    	{
    		"Value": "Type",
    		"Key": "WebBased"
    	}
    ]
    
  3. If the command output returns a tag set that matches the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified load balancer is tagged as a web-tier resource, therefore the Audit process continues with the next step:
    [
    	{
    		"Value": "<web_tier_tag_value>",
    		"Key": "<web_tier_tag>"
    	}
    ]
    

06 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to describe the ID(s) of the VPC subnet(s) associated with the web-tier load balancer identified at the previous step:

aws elb describe-load-balancers
  --region us-east-1
  --load-balancer-name cc-project5-web-elb
  --query 'LoadBalancerDescriptions[*].Subnets[]'

07 The command output should return the ID(s) of the associated VPC subnet(s):

[
	"subnet-abcd1234",
	"subnet-1234abcd"
]

08 Run describe-route-tables command (OSX/Linux/UNIX) with custom query filters to describe the routes configured for the route table associated with the Amazon VPC subnets returned at the previous step:

aws ec2 describe-route-tables
  --region us-east-1
  --filters Name=association.subnet-id,Values=subnet-abcd1234,subnet-1234abcd
  --query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

09 The command output should return the routes configured for the associated route table:

[
	{
		"Routes": [
			{
				"GatewayId": "local",
				"DestinationCidrBlock": "172.16.0.0/16",
				"State": "active",
				"Origin": "CreateRouteTable"
			}
		],
		"RouteTableId": "rtb-abcdabcd"
	}
]

Check the routes returned by the describe-route-tables command output to determine if there is a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "GatewayId" attribute set to an Internet Gateway (e.g. "igw-12345678"). If the verified route table does not have a route over the Internet Gateway (i.e. a route with the destination set to 0.0.0.0/0 and the target set to the VPC's Internet Gateway), there is no connectivity between the VPC subnets associated with the selected web-tier load balancer and the VPC's Internet Gateway (IGW).

10 Repeat steps no. 6 – 9 for each web-tier load balancer returned at step no. 5.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To create the required route (i.e. 0.0.0.0/0) with an IGW configured as gateway for the route table associated with the web-tier ELB subnets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Click inside Select a VPC filter box and select the Virtual Private Cloud (VPC) where your web-tier load balancer is deployed.

04 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Route Tables.

05 Select the route table that you want to reconfigure (see Audit section part I to identify the right route table).

06 Select the Routes tab from the console bottom panel and choose Edit routes.

07 On the Edit routes configuration page, choose Add route add a new route.

08 Type 0.0.0.0/0 in the Destination box, click inside the Target box, select Internet Gateway, and choose the ID of the Internet Gateway (IGW) configured for the current VPC network.

09 Choose Save routes to apply the changes. The new route matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes the traffic to the Internet Gateway available in the same VPC network as the selected web-tier load balancer.

10 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-route command (OSX/Linux/UNIX) using the ID of the route table that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right VPC resource), to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes this traffic to the Internet Gateway (IGW) available in the same Virtual Private Cloud (VPC) as the selected web-tier load balancer:

aws ec2 create-route
  --region us-east-1
  --route-table-id rtb-abcdabcd
  --destination-cidr-block 0.0.0.0/0
  --gateway-id igw-12345678

02 The command output should return true if the command request succeeds, otherwise it should return an error:

{
	"Return": true
}

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jul 25, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check Web-Tier ELB Subnet Connectivity to Internet Gateway

Risk Level: Medium