Rule: EC2 instances should be in a VPC
This rule ensures all EC2 instances are placed within a Virtual Private Cloud.
| Rule | EC2 instances should be in a VPC |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description
This rule ensures that all EC2 instances are deployed within a Virtual Private Cloud (VPC) for compliance with FedRAMP Low Revision 4. The usage of a VPC provides network isolation, security groups, and other network-level controls, enhancing the security and compliance posture of the EC2 instances.
Troubleshooting Steps
- 1.
Verify if the EC2 instance is currently deployed within a VPC:
- Go to the AWS Management Console.
- Navigate to the EC2 service.
- Click on "Instances" in the left-hand menu.
- Select the EC2 instance you want to investigate.
- In the details pane at the bottom, check the VPC ID field if it is assigned to a VPC. If the field is blank or does not exist, the instance is not within a VPC.
- 2.
If the instance is not within a VPC, follow the remediation steps below to ensure compliance with the FedRAMP Low Revision 4 rule.
Remediation Steps
Prerequisites
Before proceeding with the remediation steps, ensure you have the necessary permissions to perform the following actions:
- Access and manage Amazon EC2 instances
- Configure VPC settings
Step 1: Create a VPC (if not already created)
If you don't have an existing VPC, follow these steps to create a new VPC:
- 1.Go to the AWS Management Console.
- 2.Navigate to the Amazon VPC service.
- 3.Click on "Your VPCs" in the left-hand menu.
- 4.Click on "Create VPC."
- 5.Provide a name and CIDR block for the VPC. Ensure that the CIDR block adheres to your organization's network requirements.
- 6.Click on "Create" to create the VPC.
Step 2: Assign the EC2 instance to the VPC
To assign an EC2 instance to the VPC you just created or ensure it is within an existing VPC, follow these steps:
- 1.Go to the AWS Management Console.
- 2.Navigate to the EC2 service.
- 3.Click on "Instances" in the left-hand menu.
- 4.Select the EC2 instance you want to modify.
- 5.Click on the "Actions" button and choose "Networking" > "Change VPC."
- 6.Select the desired VPC from the dropdown menu.
- 7.Click on "Change VPC" to assign the EC2 instance to the selected VPC.
Step 3: Verify the VPC assignment
After assigning the EC2 instance to the VPC, ensure that the changes have taken effect:
- 1.Go to the AWS Management Console.
- 2.Navigate to the EC2 service.
- 3.Click on "Instances" in the left-hand menu.
- 4.Select the EC2 instance you modified.
- 5.In the details pane at the bottom, verify that the VPC ID field now reflects the correct VPC assignment.
AWS CLI Commands
If you prefer using the AWS CLI to perform the remediation steps mentioned above, here are the equivalent CLI commands:
- 1.Create a VPC:
aws ec2 create-vpc --cidr-block <CIDR_BLOCK>
- 1.Assign the EC2 instance to the VPC:
aws ec2 modify-instance-attribute --instance-id <INSTANCE_ID> --vpc-id <VPC_ID>
Make sure to replace
<CIDR_BLOCK><INSTANCE_ID><VPC_ID>Conclusion
By following the remediation steps mentioned above, you can ensure that all EC2 instances are deployed within a VPC, meeting the requirements for FedRAMP Low Revision 4 compliance.