Rule: EC2 Instances Should Be in a VPC
This rule ensures all EC2 instances are placed within a VPC for security and network isolation.
| Rule | EC2 instances should be in a VPC |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Rule Description:
According to the RBI Cyber Security Framework, all EC2 instances should be deployed within a Virtual Private Cloud (VPC). A VPC provides a secure and isolated network environment for your EC2 instances, protecting them from unauthorized access and external threats.
Troubleshooting Steps (if applicable):
If EC2 instances are not currently deployed within a VPC, the following troubleshooting steps can be followed:
- 1.
Identify EC2 instances: Use the AWS Management Console or AWS CLI to identify all the EC2 instances running in your account.
- 2.
Check VPC configuration: Verify if any of the identified EC2 instances are running outside of a VPC. This can be done by examining the "VPC ID" field for each instance. If there is no VPC ID assigned, it means the instance is not within a VPC.
- 3.
Create a VPC: If no VPC is present, create a new VPC using the AWS Management Console or AWS CLI. Make sure to configure the desired IP CIDR range and set up subnets within the VPC for different availability zones.
- 4.
Migrate EC2 instances to the VPC: To migrate EC2 instances to the VPC, follow these steps:
- Create new EC2 instances within the desired VPC using the AWS Management Console or AWS CLI.
- Copy any required data, applications, and configurations from the older instances to the new ones.
- Terminate the old instances running outside the VPC once the migration is complete.
- 5.
Verify VPC association: After migrating EC2 instances to the VPC, ensure that the new instances are associated with the correct VPC. Double-check the "VPC ID" field for each instance to confirm they are within the VPC.
Necessary Codes (if applicable):
- Creating a VPC using AWS CLI:
aws ec2 create-vpc --cidr-block <desired_cidr_block>
- Creating a subnet within a VPC using AWS CLI:
aws ec2 create-subnet --vpc-id <vpc_id> --availability-zone <availability_zone> --cidr-block <desired_subnet_cidr_block>
Step-by-Step Guide for Remediation:
- 1.
Ensure you have access to the AWS Management Console or AWS CLI.
- 2.
Identify all the EC2 instances running in your account. You can do this by navigating to the EC2 service page on the AWS Management Console or by using the following AWS CLI command:
aws ec2 describe-instances
- 1.
Check the VPC configuration for each EC2 instance. If any instance is not within a VPC (no VPC ID assigned), proceed to the next step.
- 2.
Create a new VPC if one doesn't exist. Use the following AWS CLI command, replacing
with the desired IP CIDR range:<desired_cidr_block>
aws ec2 create-vpc --cidr-block <desired_cidr_block>
- 1.Set up subnets within the VPC for different availability zones. Use the following AWS CLI command, replacing
,<vpc_id>
, and<availability_zone>
with the respective values:<desired_subnet_cidr_block>
aws ec2 create-subnet --vpc-id <vpc_id> --availability-zone <availability_zone> --cidr-block <desired_subnet_cidr_block>
- 1.
Create new EC2 instances within the desired VPC, ensuring they are associated with the correct subnets and availability zones.
- 2.
Copy any required data, applications, and configurations from the older instances to the new ones.
- 3.
Once the migration is complete and verified, terminate the old instances running outside the VPC.
- 4.
Double-check the VPC association for each EC2 instance to confirm they are within the VPC.