Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Route Table Should Restrict Public Access to IGW

This rule ensures that VPC route tables are configured to restrict public access to Internet Gateway.

RuleVPC route table should restrict public access to IGW
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

The rule requires the VPC route table to restrict public access to the Internet Gateway (IGW) in compliance with NIST 800-171 Revision 2. This helps to enhance the security of resources within the VPC and prevents unauthorized traffic from reaching the Internet.

Troubleshooting Steps:

In case issues occur while restricting public access to the IGW, follow these troubleshooting steps:

  1. 1.
    Verify IGW configuration: Ensure that the IGW is properly attached to the VPC and the route table is correctly associated with the VPC.
  2. 2.
    Verify subnet routing: Check the routing table of the subnets within the VPC to ensure that they are correctly configured to direct traffic towards the desired destinations.
  3. 3.
    Check route table entries: Review the route table entries for any misconfigurations or conflicts that might affect the restriction of public access to the IGW.
  4. 4.
    Security group settings: Verify the security group associated with instances within the VPC to ensure they are configured to deny incoming traffic from unwanted sources.
  5. 5.
    Network ACL settings: Review the Network ACL (Access Control List) configurations to ensure they align with the requirement of restricting public access to the IGW.
  6. 6.
    IGW permissions: Confirm that there are no unintended permissions or policies attached to the IGW that might bypass the restriction.

Necessary Codes:

No specific codes are required for this rule.

Remediation Steps:

To restrict public access to the IGW in the VPC, follow these steps:

  1. 1.
    Access the AWS Management Console and navigate to the VPC service.
  2. 2.
    Identify the target VPC and select the associated route table.
  3. 3.
    Remove the default route (also known as "0.0.0.0/0") pointing to the IGW, as it allows unrestricted access to the Internet.
  4. 4.
    Create a new route rule for the required outbound traffic (if any) or use the existing specific rules in the route table.
  5. 5.
    Ensure that the new route rule directs traffic to the desired destinations, while blocking any traffic towards the IGW or public networks.
  6. 6.
    Save the changes to the route table.

By following these steps, the VPC route table will be configured to restrict public access to the IGW as required by the NIST 800-171 Revision 2 guideline.

Is your System Free of Underlying Vulnerabilities?
Find Out Now