Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Instances Should Be in a VPC

This rule ensures all EC2 instances are located within a Virtual Private Cloud (VPC) for enhanced security and network isolation.

RuleEC2 instances should be in a VPC
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule Description:

All EC2 instances used within the AWS environment must be deployed within a Virtual Private Cloud (VPC) to comply with the FedRAMP Moderate Revision 4 security requirements. A VPC provides logical isolation for your cloud resources and enables you to define network settings, including IP address ranges, subnets, route tables, and network gateways.

Possible Issues:

  1. 1.
    EC2 instances are not deployed within a VPC.
  2. 2.
    EC2 instances are deployed in an incorrect or unsupported VPC configuration.
  3. 3.
    Existing EC2 instances need to be migrated to a VPC.

Troubleshooting Steps:

  1. 1.

    Confirm VPC Configuration:

    • Verify if the EC2 instances are already deployed within a VPC.
    • Access the AWS Management Console and navigate to the EC2 service.
    • Check the "Instances" section and ensure there are instances running within a VPC.
  2. 2.

    Create a VPC:

    • If no VPC exists, create a VPC by following these steps:
      • Access the AWS Management Console and navigate to the VPC service.
      • Click on "Create VPC" and provide the necessary details, such as name, IP address range, and subnets.
      • Configure additional settings like route tables and security groups according to your requirements.
  3. 3.

    Migrate Existing Instances to a VPC:

    • If there are EC2 instances running outside a VPC that need to be migrated, follow these steps:
      • Launch a new EC2 instance within the desired VPC.
      • Set up appropriate security groups and network settings for the new instance.
      • Create an AMI (Amazon Machine Image) of the existing EC2 instance that needs to be migrated.
      • Use the AMI to launch a new EC2 instance within the VPC.
      • Verify the functionality of the new instance and ensure it meets all necessary requirements.
      • Terminate the old EC2 instance outside the VPC once the migration is successful.

Additional Configuration:

In some cases, specific network configurations may be required by the FedRAMP Moderate Revision 4 guidelines. Ensure the following requirements are met:

  1. 1.

    Subnet Configuration:

    • Subnets should be configured with appropriate IP address ranges.
    • Public and private subnets should be used based on the requirement of the EC2 instances.
  2. 2.

    Security Group Configuration:

    • Configure security groups to control inbound and outbound traffic to and from the EC2 instances.
    • Follow the principle of least privilege while defining security group rules.

Relevant CLI Commands:

AWS CLI commands can be used to create a VPC, migrate instances, and configure associated resources. Here are some examples:

  1. 1.
    Create VPC:
aws ec2 create-vpc --cidr-block <VPC_CIDR_BLOCK>
  1. 1.
    Migrate EC2 Instance to VPC using AMI:
aws ec2 run-instances --image-id <AMI_ID> --instance-type <INSTANCE_TYPE> --subnet-id <SUBNET_ID> --security-group-ids <SECURITY_GROUP_ID>
  1. 1.
    Configure Security Group:
aws ec2 create-security-group --group-name <SECURITY_GROUP_NAME> --description "<DESCRIPTION>" --vpc-id <VPC_ID>

Note: Replace the placeholders (in angled brackets) with actual values specific to your environment.

Remediation Steps:

  1. 1.

    Ensure all EC2 instances are within a VPC:

    • Identify instances running outside a VPC and create a plan for migration.
    • Follow the troubleshooting steps mentioned above if necessary.
  2. 2.

    Create a VPC (if not already created):

    • Verify if a suitable VPC already exists, and if not, create a new VPC following the steps provided above.
  3. 3.

    Migrate instances to the VPC:

    • For instances running outside a VPC, launch new instances within the VPC using AMIs and terminate the old instances.
  4. 4.

    Configure additional VPC resources (if applicable):

    • Set up appropriate subnets, route tables, and security groups according to your specific requirements.
  5. 5.

    Regularly review and update VPC configurations as needed to maintain compliance with FedRAMP guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now