This rule ensures that VPC route tables are configured to restrict public access to Internet Gateway.
Rule | VPC route table should restrict public access to IGW |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description: VPC Route Table Restricting Public Access to IGW for NIST 800-53 Revision 5
This rule enforces the restriction of public access to the Internet Gateway (IGW) within a VPC's route table according to the guidelines outlined in NIST 800-53 Revision 5. By implementing this rule, organizations can enhance network security and comply with NIST's recommended security controls.
Troubleshooting Steps:
In the event of issues or errors while implementing this rule, follow these troubleshooting steps:
Verify VPC Configuration: Ensure that the VPC is correctly configured and that an Internet Gateway (IGW) is associated with the VPC.
Check Route Table Association: Confirm that the desired route table is associated with the correct VPC subnets. The route table controls the traffic flow within the VPC.
Review Route Table Entries: Check the existing route table entries to identify any potential conflicts or inconsistencies. Ensure that no routes allow public access to the IGW.
Verify Network ACL Settings: If still encountering issues, verify the Network Access Control List (ACL) settings. Ensure that the ACL does not permit traffic between public subnets and the IGW.
Consult AWS Documentation or Seek Support: If the issue persists, consult the official AWS documentation or reach out to AWS Support for further assistance.
Necessary Codes:
The following AWS CLI commands will assist in implementing this rule:
aws ec2 create-route-table --vpc-id <vpc-id>
aws ec2 associate-route-table --subnet-id <subnet-id> --route-table-id <route-table-id>
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <public-cidr-block> --gateway-id <igw-id>
aws ec2 replace-route --route-table-id <route-table-id> --destination-cidr-block <public-cidr-block> --blackhole
Step-by-Step Guide for Remediation:
Follow these steps to remediate and enforce the VPC route table rule restricting public access to the IGW, in line with NIST 800-53 Revision 5:
Identify the Desired VPC: Identify the VPC for which you want to enforce the route table rule.
Create a New Route Table: Create a new route table using the AWS CLI command mentioned above or through the AWS Management Console. Make note of the generated
<route-table-id>
.Associate the Route Table: Associate the newly created route table with the desired subnets within the VPC. Use the AWS CLI command mentioned above or associate it manually through the AWS Management Console. Note the
<subnet-id>
and <route-table-id>
.Review Existing Routes: Verify the existing routes in the associated route table. Ensure that no existing routes allow public access to the IGW. If any routes permit public access, delete them or modify them to deny access.
Create a Blackhole Route: If no routes deny public access to the IGW, create a blackhole route using the AWS CLI command provided above and replace any routes allowing access to the IGW. Use
<route-table-id>
and the desired <public-cidr-block>
associated with the IGW.Verify Route Table Configuration: Validate the route table's configuration and verify that it denies public access to the IGW. Check the associated subnets and ensure that they now follow the desired restriction.
By following these remediation steps, you will successfully enforce the VPC route table rule, restricting public access to the Internet Gateway as recommended by NIST 800-53 Revision 5.