Rule: VPC Route Table Should Restrict Public Access to IGW

VPC Route Table Restriction for Public Access to IGW for FedRAMP Moderate Revision 4

Description

Troubleshooting Steps

2. 1.

   Verify VPC Requirements: Ensure that the VPC is properly configured with the necessary subnets, security groups, and associated resources such as instances, load balancers, or NAT gateways.

4. 2.

   Check Route Table Configuration: Confirm that the correct route table is applied to the desired subnets within the VPC. Validate that the routing rules are appropriately set up, including any restrictions for public access to the IGW.

6. 3.

   Verify IGW Attachment: Ensure that the IGW is correctly attached to the VPC and associated with the relevant subnets requiring public access. Validate the VPC attachments to the IGW and their routing configurations.

8. 4.

   Adjust Route Rules: If required, modify the route table rules to restrict public access to the IGW. Review the rules and update them with proper restrictions, allowing only authorized traffic to utilize the IGW.

10. 5.

    Check Security Groups: Evaluate the security group configurations for instances that require public access. Ensure that proper inbound and outbound rules are implemented to control access to these resources.

12. 6.

    Test Connectivity: Once the route table changes and security group settings are adjusted, verify the connectivity by testing the access to the desired resources from within the VPC. Perform testing for both inbound and outbound traffic to ensure the desired access restrictions are in place.

Necessary Codes (if applicable)

2. 1.
   Create a new route table:

$ aws ec2 create-route-table --vpc-id <vpc-id>

2. 1.
   Associate a route table with a subnet:

$ aws ec2 associate-route-table --subnet-id <subnet-id> --route-table-id <route-table-id>

2. 1.
   Modify an existing route table:

$ aws ec2 replace-route --route-table-id <route-table-id> --destination-cidr-block <destination-cidr-block> --gateway-id <gateway-id> --dry-run

<vpc-id>

<subnet-id>

<route-table-id>

<destination-cidr-block>

<gateway-id>

Remediation Steps

2. 1.

   Identify the VPC: Determine the ID or name of the VPC within your AWS environment where the IGW and associated subnets exist.

4. 2.

   Access the AWS Management Console: Log in to the AWS Management Console using appropriate authentication credentials.

6. 3.

   Navigate to VPC Dashboard: Go to the VPC Dashboard by selecting the "Services" drop-down menu, searching for "VPC," and clicking on the appropriate result.

8. 4.

   Select Route Tables: In the VPC Dashboard, select "Route Tables" from the left-hand navigation pane.

10. 5.

    Identify the Correct Route Table: Identify the route table that needs to be modified based on its associated subnets and VPC configuration.

12. 6.

    Modify Route Table: Select the identified route table and click on the "Routes" tab in the lower pane.

14. 7.

    Add Route Rule: Click on the "Edit routes" or "Add route" button to modify the routing rules of the selected route table.

16. 8.

    Configure Access Restriction: Add a new route entry or update an existing one to restrict public access to the IGW. Specify the desired destination CIDR block (e.g., 0.0.0.0/0) and choose a non-IGW target or a "blackhole" route to block public access (e.g., Null or Interface endpoint).

18. 9.

    Save Changes: Save the modified route table configuration.

20. 10.

    Test Connectivity: Verify the changes made to the route table by testing the connectivity to the desired resources within the VPC, ensuring that public access to the IGW is now restricted as per the FedRAMP Moderate Revision 4 requirements.

Congratulations, you have implemented the necessary steps to restrict public access to the IGW in the VPC route table according to the FedRAMP Moderate Revision 4 requirements.