Rule: VPC Internet Gateways Attached to Authorized VPC
This rule states that VPC internet gateways should be attached to authorized VPC for security purposes.
| Rule | VPC internet gateways should be attached to authorized vpc |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
This rule ensures that VPC (Virtual Private Cloud) internet gateways in an organization's network infrastructure are only attached to authorized VPCs, in compliance with NIST 800-171 Revision 2 guidelines.
Remediation Steps
- 1.
Identify Internet Gateways: Determine the existing internet gateways in your AWS environment.
aws ec2 describe-internet-gateways --region <your_region> --profile <your_profile> - 2.
Check Gateways Attachments: Verify the currently attached VPCs for each internet gateway.
aws ec2 describe-internet-gateway --internet-gateway-id <internet_gateway_id> --region <your_region> --profile <your_profile> - 3.
Identify Authorized VPCs: Identify the authorized VPCs that should have internet gateways attached to them, based on your organization's network configuration and security policies.
- 4.
Detach Unauthorized VPCs from Gateways: For any internet gateway that is attached to an unauthorized VPC, detach it using the following command:
aws ec2 detach-internet-gateway --internet-gateway-id <internet_gateway_id> --vpc-id <unauthorized_vpc_id> --region <your_region> --profile <your_profile> - 5.
Attach Gateways to Authorized VPCs: Attach the internet gateways only to the authorized VPCs using the below command:
aws ec2 attach-internet-gateway --internet-gateway-id <internet_gateway_id> --vpc-id <authorized_vpc_id> --region <your_region> --profile <your_profile> - 6.
Verify Attachments: Verify that the internet gateways are now attached to the correct, authorized VPCs.
aws ec2 describe-internet-gateway --internet-gateway-id <internet_gateway_id> --region <your_region> --profile <your_profile>
Troubleshooting Steps
- If the
command does not return any results, it means that there are no internet gateways in your AWS environment. In this case, you do not need to perform any further steps for this rule.describe-internet-gateways - If the
command shows that an internet gateway is already attached to an authorized VPC, no action is required.describe-internet-gateway - If the detachment or attachment commands fail with an error message, ensure that you have the correct permissions to modify VPC resources and that the provided IDs for the VPCs and internet gateways are accurate.
Additional Notes
- Regularly review and update the authorized VPCs to align with any changes in the organization's network architecture or security requirements.
- Document the changes made for auditing and future reference purposes.