Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Route Table Should Restrict Public Access to IGW

This rule ensures VPC route tables restrict public access to Internet Gateways.

RuleVPC route table should restrict public access to IGW
FrameworkCISA-cyber-essentials
Severity
High

Rule Description

The VPC route table should restrict public access to the Internet Gateway (IGW) for CISA-Cyber-Essentials. This rule is important to ensure that only authorized traffic can access the Internet via the IGW, thus reducing the attack surface and enhancing security posture.

Troubleshooting Steps

  2. 1.
    Validate VPC Configuration: Confirm that the VPC associated with CISA-Cyber-Essentials is properly set up.
  4. 2.
    Check Route Table: Verify the configuration of the route table associated with the VPC.
  6. 3.
    Review Internet Gateway: Ensure that the Internet Gateway is correctly attached to the VPC.
  8. 4.
    Confirm Default Route: Make sure there is a default route configured in the route table to send all Internet traffic to the IGW.
  10. 5.
    Verify Security Group Rules: Validate the security group rules to ensure that only desired traffic is allowed.

Necessary Codes

No specific code is required for this rule. It can be achieved by manipulating the VPC route table settings.

Step-by-Step Guide for Remediation

Follow these steps to remediate the issue:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Go to the VPC service.
  6. 3.
    Select the VPC associated with CISA-Cyber-Essentials.
  8. 4.
    Click on the "Route Tables" option in the left-hand menu.
  10. 5.
    Identify the relevant route table associated with the VPC.
  12. 6.
    Review and validate the existing routes in the route table.
  14. 7.
    Locate the default route, which typically has a destination of 
    0.0.0.0/0
    or 
    ::/0
    .
  16. 8.
    If the default route is explicitly allowing public access to the IGW, it needs to be modified.
  18. 9.
    Select the default route and click on the "Edit" button.
  20. 10.
    Modify the target of the default route to a different destination, such as a NAT Gateway or a specific endpoint for proxy purposes.
  22. 11.
    Save the changes to update the route table.

Note: The specific steps may vary depending on the AWS Management Console version and layout.

Ensure that the modified route table successfully restricts public access to the IGW for CISA-Cyber-Essentials. Validate the changes by testing connectivity and verifying that only authorized traffic can access the Internet.

Regularly review and monitor the VPC route table settings and associated rules to maintain security and comply with best practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now