Rule: EC2 Instances Should Be in a VPC
Ensure all EC2 instances are configured within a Virtual Private Cloud (VPC) for improved security and network control.
| Rule | EC2 instances should be in a VPC |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
According to NIST 800-171 Revision 2, all EC2 instances should be deployed within a Virtual Private Cloud (VPC) for enhanced security and compliance. This rule ensures that proper isolation and control measures are in place to protect the confidentiality, integrity, and availability of sensitive information processed by EC2 instances.
Troubleshooting:
- 1.
Issue: EC2 instance is not deployed within a VPC. Solution: Create a VPC and migrate the EC2 instance to the VPC using the AWS Management Console or AWS CLI.
- 2.
Issue: Existing EC2 instances are not in a VPC, and migration is not possible. Solution: Terminate the EC2 instances and create new instances within a VPC, ensuring to follow AWS best practices for VPC design and security.
Remediation:
To comply with the NIST 800-171 Revision 2 requirement, follow the step-by-step guide below:
Step 1: Create a VPC
- 1.Log in to the AWS Management Console.
- 2.Navigate to the VPC service.
- 3.Click on "Create VPC."
- 4.Provide a name and CIDR block for the VPC.
- 5.Configure any additional settings as per your requirements.
- 6.Click on "Create."
Step 2: Create Subnets
- 1.Within the VPC console, navigate to "Subnets."
- 2.Click on "Create Subnet."
- 3.Select the appropriate VPC.
- 4.Specify a name for the subnet.
- 5.Choose an availability zone.
- 6.Define the CIDR block for the subnet.
- 7.Click on "Create."
Step 3: Create an Internet Gateway
- 1.Within the VPC console, navigate to "Internet Gateways."
- 2.Click on "Create Internet Gateway."
- 3.Provide a name for the gateway.
- 4.Click on "Create."
- 5.Select the newly created gateway.
- 6.Click on "Actions" and choose "Attach to VPC."
- 7.Select the VPC created in Step 1.
- 8.Click on "Attach."
Step 4: Create a Route Table
- 1.Within the VPC console, navigate to "Route Tables."
- 2.Click on "Create Route Table."
- 3.Provide a name for the route table.
- 4.Select the VPC created in Step 1.
- 5.Click on "Create."
- 6.Select the newly created route table.
- 7.Click on "Actions" and choose "Edit routes."
- 8.Click on "Add route."
- 9.Enter '0.0.0.0/0' as the Destination.
- 10.Choose the internet gateway created in Step 3 as the target.
- 11.Click on "Save routes."
Step 5: Modify Security Groups
- 1.Within the EC2 console, navigate to "Security Groups."
- 2.Select the security group associated with your EC2 instance.
- 3.Click on "Actions" and choose "Edit inbound rules."
- 4.Review and modify the inbound rules as per your requirements to allow necessary traffic.
- 5.Click on "Save rules."
Step 6: Migrate EC2 Instance to VPC (Only for existing instances)
- 1.Within the EC2 console, navigate to "Instances."
- 2.Select the EC2 instance you want to migrate.
- 3.Click on "Actions" and choose "Networking."
- 4.Click on "Change VPC."
- 5.Select the VPC created in Step 1.
- 6.Choose a subnet within the VPC.
- 7.Click on "Change VPC."
Conclusion:
Following the above steps will ensure that all EC2 instances are deployed within a VPC, meeting the NIST 800-171 Revision 2 requirement. Regularly review and update your VPC configurations to adhere to AWS best practices and security guidelines.