Rule: VPC Route Table Should Restrict Public Access to IGW
This rule ensures VPC route tables restrict public access to internet gateways.
| Rule | VPC route table should restrict public access to IGW |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
VPC Route Table Restriction for RBI Cyber Security Framework
Rule Description
The rule requires that the VPC's route table restricts public access to the Internet Gateway (IGW) in compliance with the RBI Cyber Security Framework. This framework aims to maintain the security and integrity of the banking infrastructure protected by the VPC.
Troubleshooting Steps (if applicable)
If the VPC route table is not set up correctly, it may allow unauthorized access to the Internet Gateway. In such cases, follow these steps to troubleshoot the issue:
- 1.Verify that the VPC is correctly associated with the route table.
- 2.Ensure that there are no conflicting or overlapping routes in the route table.
- 3.Check the VPC's Security Groups and Network Access Control Lists (NACLs) to see if they permit unwanted traffic.
- 4.Confirm that the VPC's Internet Gateway is correctly attached and associated with the VPC.
Necessary Code (if applicable)
If the route table needs to be modified to restrict public access to the Internet Gateway, you can use the AWS Command Line Interface (CLI) to set up the appropriate route.
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <public-subnet-cidr> --gateway-id <igw-id>
Replace
<route-table-id><public-subnet-cidr><igw-id>Step-by-Step Guide for Remediation
Follow these steps to configure the VPC route table to restrict public access to the Internet Gateway:
- 1.
Identify the route table associated with your VPC. You can find this information in the Amazon VPC console.
- 2.
Verify that the route table does not have any existing routes pointing to the Internet Gateway. If such routes exist, remove them using the following command:
aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block <public-subnet-cidr>Replace
with the ID of the route table and<route-table-id>
with the CIDR block of the public subnet.<public-subnet-cidr> - 3.
Once the existing routes are removed, add a new route to deny public access to the Internet Gateway using the following command:
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <public-subnet-cidr> --gateway-id <igw-id>Replace
with the ID of the route table,<route-table-id>
with the CIDR block of the public subnet, and<public-subnet-cidr>
with the ID of the Internet Gateway.<igw-id> - 4.
Verify that the new route has been added successfully by checking the route table's configuration.
- 5.
Test connectivity to ensure that public access to the Internet Gateway has been restricted.
- 6.
Monitor the VPC for any unusual traffic patterns or potential security breaches and report any anomalies as per your organization's incident response plan.
By following the above steps, you will be able to configure your VPC route table to restrict public access to the Internet Gateway in compliance with the RBI Cyber Security Framework.