Rule: VPC Route Table Should Restrict Public Access to IGW
This rule ensures VPC route table restricts public access to Internet Gateway (IGW) for enhanced security.
| Rule | VPC route table should restrict public access to IGW |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description
The VPC route table should be configured to restrict public access to the Internet Gateway (IGW) for compliance with GxP (Good Clinical Practice) and 21 CFR (Code of Federal Regulations) Part 11 regulations. This rule ensures that sensitive data and systems within the VPC are protected from unauthorized access from the public internet.
Troubleshooting Steps
If there are issues with restricting public access to the IGW, the following troubleshooting steps can be performed:
- 1.
Check Route Table Configuration: Verify that the VPC route table has the appropriate routing entries to restrict public access to the IGW.
- 2.
Check IGW Attachment: Ensure that the Internet Gateway is correctly attached to the VPC.
- 3.
Update Security Groups: Review the security groups associated with resources within the VPC and confirm they are configured to allow access only from trusted sources.
- 4.
Review Network ACLs: Check the Network ACLs (Access Control Lists) associated with subnets in the VPC and confirm that they do not allow unwanted inbound or outbound access.
- 5.
Verify Routes: Validate the routes within the route table and ensure that they are only allowing traffic to and from trusted networks.
Code
The following AWS CLI commands can be used to configure the VPC route table to restrict public access to the IGW.
- 1.Identify VPC ID:
aws ec2 describe-vpcs
- 1.Identify the Desired Route Table:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=your-vpc-id"
- 1.Modify Route Table Entries:
To remove the default route that allows all traffic (0.0.0.0/0) to go to the IGW:
aws ec2 delete-route --route-table-id your-route-table-id --destination-cidr-block 0.0.0.0/0
- 1.Add Custom Route:
To add a new route that allows specific traffic to the IGW:
aws ec2 create-route --route-table-id your-route-table-id --destination-cidr-block your-custom-route --gateway-id your-igw-id
Remediation Steps
To remediate the VPC route table and restrict public access to the IGW, follow these steps:
- 1.Identify the VPC ID using the following command:
aws ec2 describe-vpcs
- 1.Identify the route table associated with the VPC using the following command:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=your-vpc-id"
- 1.Remove the default route that allows all traffic (0.0.0.0/0) to go to the IGW using the following command:
aws ec2 delete-route --route-table-id your-route-table-id --destination-cidr-block 0.0.0.0/0
- 1.Add a custom route that allows specific traffic to the IGW. Replace "your-custom-route" with the desired CIDR block and "your-igw-id" with the Internet Gateway ID using the following command:
aws ec2 create-route --route-table-id your-route-table-id --destination-cidr-block your-custom-route --gateway-id your-igw-id
Ensure that the custom route only allows traffic from trusted sources to access the IGW.
By following these steps, the VPC route table will be properly configured to restrict public access to the IGW, complying with GxP and 21 CFR Part 11 regulations.