Rule: EC2 Instances Should Be in a VPC
This rule highlights the requirement for EC2 instances to be within a Virtual Private Cloud (VPC) for enhanced security.
| Rule | EC2 instances should be in a VPC |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
EC2 Instances Should Be in a VPC for FedRAMP Low Revision 4
When deploying Amazon EC2 instances as part of a service offering that needs to comply with Federal Risk and Authorization Management Program (FedRAMP) Low Impact level controls, it is a requirement that all instances are created within a Virtual Private Cloud (VPC). FedRAMP Low requirements aim to safeguard federal information systems against unauthorized access and data breaches.
Rule Description
Any Amazon EC2 instance must be launched within a Virtual Private Cloud (VPC) to ensure enhanced security compliant with the FedRAMP Low Revision 4 guidelines. EC2 instances that are not contained within a VPC are non-compliant and expose the cloud environment to unnecessary risks.
EC2 Classic: Older AWS accounts may have the ability to launch instances outside of a VPC, known as EC2-Classic. This mode does not support the advanced networking and security features available in VPCs, which are necessary for FedRAMP compliance.
VPC Features: VPCs provide features such as security groups, network access control lists (NACLs), dedicated tenancy, and the ability to create private subnets, all of which are important for meeting FedRAMP Low security requirements.
Troubleshooting Steps
To verify compliance and troubleshoot any EC2 instances that are not within a VPC, the following steps are necessary:
- 1.List all EC2 instances and their associated VPCs.
- 2.Identify EC2 instances that are not part of any VPC.
- 3.Plan to migrate non-compliant instances into a properly configured VPC.
- 4.Monitor and enforce VPC usage for all new EC2 instances.
AWS CLI Commands
To implement the troubleshooting steps, AWS Command Line Interface (CLI) can be used.
- 1.List All EC2 Instances and VPCs:
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,VpcId]"
- 1.Identify Non-VPC EC2 Instances:
Look for instances with
nullStep by Step Guide for Remediation
Here's a step-by-step process to remediate EC2 instances that are not within a VPC:
Migrate Non-VPC EC2 Instances to a VPC:
- 1.
Create a new VPC: If you don’t already have a compliant VPC, create one using the AWS Management Console or CLI.
aws ec2 create-vpc --cidr-block <your-cidr-block> - 2.
Create Subnets: Launch subnets within the VPC you created in the previous step.
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <your-cidr-subnet-block> - 3.
Launch a New EC2 Instance within the VPC:
aws ec2 run-instances --image-id <ami-id> --count 1 --instance-type <instance-type> --key-name <keypair> --subnet-id <subnet-id> --security-group-ids <sg-ids> - 4.
Migrate Data and Configuration: Transfer any necessary data and configurations from the old instance to the new one.
- 5.
Update DNS and Networking: Adjust your DNS records and networking to point to the new VPC-based instance.
- 6.
Retire Non-VPC Instance: Once you have confirmed that the new instance is operational, retire the EC2 instance that is not in a VPC.
- 7.
Enforce VPC for All New Instances: Going forward, ensure that all EC2 instances are launched within your VPC by setting user permissions and using AWS Identity and Access Management (IAM) policies.
AWS IAM Policy for Enforcement
To ensure all new instances are launched within a VPC, you can create an IAM policy that explicitly denies the
RunInstancesec2:Vpc{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": ""
}
}
}
]
}
Assign this policy to all IAM roles and users who are authorized to launch EC2 instances. This policy ensures that launching instances outside of a VPC is not permitted, enforcing a critical layer of compliance with FedRAMP Low Revision 4 standards.