Rule: VPC Route Table Should Restrict Public Access to IGW
In this rule, VPC route tables must be configured to restrict public access to Internet Gateway (IGW) to ensure security.
| Rule | VPC route table should restrict public access to IGW |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Description of the Rule
The rule requires that the VPC route table configuration restricts public access to the Internet Gateway (IGW) exclusively for Federal Financial Institutions Examination Council (FFIEC) organizations. This ensures that only approved entities within the FFIEC can access resources outside the VPC, while maintaining a secure network environment.
Troubleshooting Steps
If there are any issues with the VPC route table restricting public access to the IGW for FFIEC, you can follow these troubleshooting steps:
- 1.
Verify VPC Configuration: Check if the VPC is properly set up and the desired route table is associated with the correct subnets.
- 2.
Confirm IGW Attachment: Ensure that the Internet Gateway is correctly attached to the VPC and associated with the appropriate route table.
- 3.
Check Route Table Entries: Validate that the route table contains the necessary entry to route traffic to the IGW for the FFIEC IP ranges.
- 4.
Subnet Associations: Verify that the subnets associated with the route table are correct and aligned with the FFIEC requirements.
Necessary Codes
If necessary, you can utilize the following AWS CLI code snippets to configure the VPC route table to restrict public access to the IGW for FFIEC:
- 1.Create a route table for the VPC:
aws ec2 create-route-table --vpc-id <vpc-id>
- 1.Associate the route table with the desired subnet:
aws ec2 associate-route-table --subnet-id <subnet-id> --route-table-id <route-table-id>
- 1.Add a route to restrict public access for FFIEC IP ranges:
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <ffiec-ip-range> --gateway-id <igw-id>
Step-by-Step Guide for Remediation
To ensure that the VPC route table restricts public access to the IGW for FFIEC, follow these step-by-step instructions:
- 1.
Identify the FFIEC IP ranges allowed to access the IGW.
- 2.
Create a new route table specifically for the FFIEC traffic:
- Use the AWS Management Console or the AWS CLI command provided above.
- 3.
Associate the FFIEC route table with the relevant subnets:
- Use the AWS Management Console or the AWS CLI command given above.
- 4.
Add a route entry to the FFIEC route table to restrict public access to the IGW:
- Employ the provided AWS CLI command, replacing
with the ID of the FFIEC route table,<route-table-id>
with the FFIEC IP range allowed, and<ffiec-ip-range>
with the ID of the Internet Gateway.<igw-id>
- 5.
Repeat steps 2-4 for all the subnets that should have restricted access to the IGW.
- 6.
Verify the correct association and route entries in the VPC route table:
- Use the AWS Management Console or the AWS CLI to confirm that the FFIEC route table is correctly associated with the appropriate subnets and has the desired route entries.
- 7.
Perform exhaustive testing to ensure that only FFIEC entities can access the public resources via the IGW.
By following these remediation steps, you will successfully configure the VPC route table to restrict public access to the IGW exclusively for FFIEC organizations, providing a secure network environment in compliance with the rule.