Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure EC2 Instances are in a VPC rule

This rule enforces all EC2 instances to be within a Virtual Private Cloud (VPC) for improved security.

RuleEC2 instances should be in a VPC
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule: EC2 instances should be in a VPC for FedRAMP Moderate Revision 4

Description:

To meet the security requirements of FedRAMP Moderate Revision 4, all EC2 instances in your environment must be deployed within a Virtual Private Cloud (VPC). A VPC provides network isolation, security controls, and enables you to define granular access policies for your instances.

Troubleshooting Steps:

If your EC2 instances are not currently deployed in a VPC, follow the steps below to troubleshoot and resolve the issue:

  2. 1.

    Identify if any EC2 instances are not within a VPC:

    • Open the Amazon EC2 console.
    • Go to the "Instances" section.
    • Look for instances that are not associated with a VPC.
  4. 2.

    Determine if the instances require any special network connectivity:

    • Review the purpose and network requirements of each instance to assess if it requires direct internet access, integration with other services, or connectivity to on-premises resources.
    • Based on the requirements, determine the appropriate VPC configuration (public, private, or hybrid).
  6. 3.

    Create a new VPC or move instances to an existing VPC:

    • If a suitable VPC does not exist, create a new one:
      • Navigate to the Amazon VPC console.
      • Click on "Create VPC" and define the desired configuration (e.g., IP range, DNS support, etc.).
      • Once created, note the VPC ID for further configuration.
    • Associate existing instances to a VPC:
      • Select the instance(s) that are not associated with a VPC from the EC2 console.
      • Click on "Actions" and choose "Networking" > "Change VPC Association".
      • Select the desired VPC and click "Change VPC".
  8. 4.

    Update security group rules:

    • Review the existing security group rules associated with the EC2 instances to ensure they align with your network requirements.
    • Modify or add rules as necessary, following the principle of least privilege.
      • Open the Amazon EC2 console.
      • Go to the "Security Groups" section.
      • Select the appropriate security group for an instance.
      • Click on "Inbound Rules" or "Outbound Rules".
      • Add or modify rules according to your requirements.
  10. 5.

    Test the network connectivity:

    • After the necessary changes have been made, confirm that the EC2 instances are now functioning within the VPC as expected.
    • Validate network connectivity, both within the VPC and to external resources, depending on the instance's application and connectivity requirements.

Code:

No specific code is required for this rule/policy. However, the following AWS CLI commands may be helpful for troubleshooting or making changes:

  • Describe instances: 

    aws ec2 describe-instances

  • Describe VPCs: 

    aws ec2 describe-vpcs

  • Create a VPC: 

    aws ec2 create-vpc --cidr-block <CIDR block>

  • Associate an instance with a VPC: 

    aws ec2 modify-instance-attribute --instance-id <instance-id> --vpc-id <vpc-id>

  • Update security group rules: 

    aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol <protocol> --port <port> --source <source>

Note: Replace 

<CIDR block>
, 
<instance-id>
, 
<vpc-id>
, 
<group-id>
, 
<protocol>
, 
<port>
, and 
<source>
with the appropriate values in the above commands.

Remediation Steps:

Follow the step-by-step guide below to remediate non-compliant EC2 instances and ensure they are within a VPC:

  2. 1.

    Identify instances not in a VPC:

    • Use the Amazon EC2 console or the CLI command 
      aws ec2 describe-instances
      to identify instances that are not associated with a VPC.
  4. 2.

    Determine network requirements:

    • Review the network connectivity requirements for each instance to determine the suitable VPC configuration (public, private, or hybrid) and other network components such as subnets, routing tables, and security groups.
  6. 3.

    Create a new VPC or move instances to an existing VPC:

    • Create a new VPC:
      • Access the Amazon VPC console.
      • Click on "Create VPC" and configure the desired VPC settings, including IP range, DNS support, and any additional options.
      • Make a note of the VPC ID for further configuration steps.
    • Associate instances with a VPC:
      • From the EC2 console, select the instances that are not associated with a VPC.
      • Click on "Actions" and choose "Networking" > "Change VPC Association".
      • Select the desired VPC and click "Change VPC".
      • Verify that the instances are now associated with the intended VPC.
  8. 4.

    Update security group rules:

    • Review the security group rules associated with each instance and modify or add rules as required to match the necessary network connectivity.
    • Open the Amazon EC2 console and navigate to the "Security Groups" section.
    • Identify the appropriate security group for each instance.
    • Click on "Inbound Rules" or "Outbound Rules".
    • Add or modify rules considering the instance's application requirements.
  10. 5.

    Verify network connectivity:

    • Test the network connectivity of the instances within the VPC and ensure the desired connectivity to external resources or on-premises systems is established.
    • Validate the instances' functionality and connectivity based on their application requirements.

Following these steps will ensure that your EC2 instances are deployed within a VPC, meeting the security requirements of FedRAMP Moderate Revision 4.

Is your System Free of Underlying Vulnerabilities?
Find Out Now