Best practice rules for Amazon Virtual Private Cloud (VPC)
AWS Virtual Private Cloud (VPC) provides you with an isolated section within the AWS cloud to launch resources in a virtual network tailored to your organization. Implementing a VPC provides you with complete control of your virtual network, including configuration of network gateways and route tables, and the ability to select your IP range. Using a virtual private cloud adds another layer of security for your infrastructure, for example, by defining which resources within your AWS account have access to the internet.
Trend Micro Cloud One™ – Conformity monitors Amazon Virtual Private Cloud (VPC) with the following rules:
- AWS VPC Peering Connections Route Tables Access
Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy.
- AWS VPN Tunnel State
Ensure the state of your AWS Virtual Private Network (VPN) tunnels is UP
- Ineffective Network ACL DENY Rules
Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration.
- Managed NAT Gateway in Use
Ensure that the Managed NAT Gateway service is enabled for high availability (HA).
- Specific Gateway Attached To Specific VPC
Ensure that a specific Internet/NAT gateway is attached to a specific VPC.
- Unrestricted Inbound Traffic on Remote Server Administration Ports
Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389.
- Unrestricted Network ACL Inbound Traffic
Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports.
- Unrestricted Network ACL Outbound Traffic
Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports.
- Unused VPC Internet Gateways
Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.
- Unused Virtual Private Gateways
Ensure unused Virtual Private Gateways (VGWs) are removed to follow best practices.
- VPC Endpoint Cross Account Access
Ensure Amazon VPC endpoints don't allow unknown cross account access.
- VPC Endpoint Exposed
Ensure Amazon VPC endpoints aren't exposed to everyone.
- VPC Endpoints In Use
Ensure that VPC endpoints are being used to connect your VPC to another AWS cloud service.
- VPC Flow Logs Enabled
Ensure VPC flow logging is enabled in all VPCs.
- VPC Naming Conventions
Follow proper naming conventions for Virtual Private Clouds.
- VPC Peering Connections To Accounts Outside AWS Organization
Ensure VPC peering communication is only between AWS accounts, members of the same AWS Organization.
- VPN Tunnel Redundancy
Ensure AWS VPNs have always two tunnels active in order to enable redundancy.