Amazon EC2
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon EC2

      Detect EC2 Classic Instances

      This plugin ensures the EC2 instances are using AWS VPC instead of the EC2 classic environment.

      Risk Level: Low

      Description

      This plugin ensures the EC2 instances are using AWS VPC instead of the EC2 classic environment. AWS VPCs are the latest and more secure method of launching AWS resources. EC2 Classic should not be used.

      About the Service

      Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

      Impact

      EC2-Classic networking is the traditional method to create an instance. Virtual Private Cloud by AWS is currently a more secure method to create an instance. Therefore, it is recommended to migrate all the EC2 instances to VPC.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
      3. Move to the Instances in the Instances section from the left navigation pane.
      4. From the list of instances, choose one by clicking on its Instance ID.
      5. Check the VPC ID and Subnet ID. If both are left blank, the vulnerability exists.
      6. Repeat steps 4 to 5 for all the instances you want to investigate.

      Steps for Remediation

      Migrate instances from EC2 Classic to VPC.

      1. Log In to your AWS Console.
      2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
      3. Move to the Instances in the Instances section from the left navigation pane.
      4. From the list of instances, choose the vulnerable instance by clicking on its Instance ID.
      5. Before migrating the instance to a VPC, we will first create an AMI to create a backup. You can also create a backup for the EBS volume.
      6. Go to Actions menu > Image and templates > Create image.
      7. Specify the name of the AMI and create the image.
      8. Click on Launch Instance to create an EC2 instance.
      9. From the left navigation menu, select My AMIs.
      10. Select the AMI created recently from the vulnerable instance. 
      11. Move to Step 3 - Configure Instance Details and specify the VPC/Subnet for the EC2 instance.
      12. Configure other details for the instance and Launch it.
      13. Eventually, delete the original insecure instance.
      14. Repeat steps for all vulnerable instances.