Rule: VPC Route Table Should Restrict Public Access to IGW
This rule ensures VPC route tables restrict public access to Internet Gateways.
| Rule | VPC route table should restrict public access to IGW |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
VPC Route Table Restriction for FedRAMP Low Revision 4 Compliance
The Federal Risk and Authorization Management Program, or FedRAMP, sets standards for the security of cloud services and infrastructure used by federal agencies. One requirement for achieving and maintaining compliance with FedRAMP Low Revision 4 is ensuring that Virtual Private Cloud (VPC) route tables are properly configured to restrict public access to the Internet Gateway (IGW). This is essential to control the traffic flow between the internet and your AWS VPC, preventing unauthorized access and potential vulnerabilities.
Understanding the Rule
A route table contains a set of rules, called routes, that determine where network traffic from your VPC is directed. To restrict public access to the IGW and maintain compliance with FedRAMP Low Revision 4, the route table associated with your VPC must be configured in such a way that only necessary and authorized IP addresses have access to the IGW.
Troubleshooting Steps
If you have an existing VPC and you need to verify compliance or modify the route table to restrict IGW access, follow these steps:
Step 1: Identify the VPC
Determine which VPC requires configuration or examination for FedRAMP compliance.
Step 2: Examine the Route Table
Inspect the current route table configuration for any routes that allow unrestricted access to the IGW.
Step 3: Analyze Traffic Requirements
Understand the traffic flow necessary for your application and which resources need internet access.
Step 4: Modify Route Table Rules
Remove or adjust any routes in the route table that allow wide-ranging access to the IGW.
Step 5: Test Configuration Changes
After making changes, test to ensure that proper communication occurs, without exposing your VPC to unrestricted internet access.
Necessary CLI Commands
To modify route tables using AWS CLI, the following commands are essential:
View Current Route Tables
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=your-vpc-id"
Replace
your-vpc-idDelete Unrestricted IGW Route
aws ec2 delete-route --route-table-id rtb-id --destination-cidr-block 0.0.0.0/0
Replace
rtb-idAdd a Restricted IGW Route
aws ec2 create-route --route-table-id rtb-id --destination-cidr-block cidr-block --gateway-id igw-id
Replace
rtb-idcidr-blockigw-idStep by Step Guide for Remediation
Step 1: Review Current Routes
Use the
describe-route-tablesStep 2: Remove Unwanted Routes
Implement the
delete-routeStep 3: Add Specific Routes
Create necessary routes with restricted IP ranges using the
create-routeStep 4: Confirm Changes
Verify the routes are properly set up using
describe-route-tablesStep 5: Continuous Monitoring
Finally, regularly monitor your route tables to ensure compliance is maintained.
The overall security configuration, including VPC route tables that restrict public access, will be crucial for meeting the requirements of FedRAMP Low Revision 4. Continually adapt and review your configurations to maintain a secure cloud environment.