Rule: VPC Internet Gateways Attached to Authorized VPC
This rule ensures that VPC internet gateways are attached to authorized VPCs for secure network access.
| Rule | VPC internet gateways should be attached to authorized vpc |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Medium |
Rule Description
The rule states that all VPC (Virtual Private Cloud) internet gateways should only be attached to authorized VPCs, in accordance with the NIST 800-53 Revision 4 guidelines. An internet gateway is a horizontally scaled, redundant, and highly available AWS service that allows communication between instances in a VPC and the internet. By ensuring that internet gateways are only attached to authorized VPCs, organizations can maintain control over network access and prevent unauthorized connections.
Troubleshooting Steps
If an internet gateway is found to be attached to an unauthorized VPC, the following troubleshooting steps can be followed:
- 1.Identify the unauthorized VPC: Use the AWS Management Console or AWS CLI (Command Line Interface) to list all the VPCs in the account.
- 2.Check internet gateway attachments: Locate the internet gateway in question and check its attachments.
- 3.Verify VPC authorization: Cross-reference the VPC ID with the list of authorized VPCs to determine if it is authorized.
- 4.Detach from unauthorized VPC: If the VPC is unauthorized, detach the internet gateway from it.
Necessary Code
Note: The following code examples assume the usage of AWS CLI.
No specific code is required for this rule as it is a policy-based requirement. However, the following AWS CLI commands can be used for troubleshooting:
- To list all VPCs:
aws ec2 describe-vpcs
- To describe internet gateways:
aws ec2 describe-internet-gateways
- To detach an internet gateway from a VPC:
aws ec2 detach-internet-gateway --internet-gateway-id <gateway-id> --vpc-id <vpc-id>
Step-by-Step Guide for Remediation
- 1.
Identify the internet gateway: Use the AWS Management Console or AWS CLI to identify the internet gateway that is attached to an unauthorized VPC.
- 2.
Note the attachments: Verify which VPC the internet gateway is currently attached to. This will be required to detach it later.
- 3.
Verify authorized VPCs: Cross-reference the VPC ID of the authorized VPCs specified in the NIST 800-53 Revision 4 guidelines. Confirm if the currently attached VPC is authorized or not.
- 4.
Detach from unauthorized VPC: If the VPC is unauthorized, detach the internet gateway from it using the AWS CLI command mentioned above in the "Necessary Code" section. Replace
with the actual ID of the internet gateway to detach and<gateway-id>
with the ID of the unauthorized VPC.<vpc-id> - 5.
Attach to authorized VPC: If the VPC is authorized, take no further action. The internet gateway is already compliant with the rule.
- 6.
Document remediation: Update the necessary documentation to reflect the changes made and record the resolution of this non-compliance issue.
By following these steps, organizations can ensure that internet gateways are only attached to authorized VPCs, thereby adhering to the NIST 800-53 Revision 4 guidelines for network security.