Amazon EC2

VPC Multiple Subnets

This plugin ensures that VPCs have multiple subnets to provide a layered architecture

Risk Level: Low

Description

This plugin ensures that VPCs have multiple subnets to provide a layered architecture. It is recommended that VPCs should be designed to have separate public and private subnets, along with different availability zones. 

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

Various services reside in a Virtual Private Cloud (VPC). As per the requirement, these services must either face the public or private side of the infrastructure. Therefore, there is a need for at least two subnets in a VPC. As a good infrastructural design measure, the VPCs must have separate public and private subnets.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Your VPCs in the Virtual Private Cloud section from the left navigation pane.
  4. You will find a list of VPCs available. Select the one you wish to examine by copying the VPC ID.
  5. Move to the Subnets section from the left navigation pane. 
  6. Click on the Filter Search bar. Select VPC and paste the VPC ID. A list of subnets associated will appear. If it is less than 2, the vulnerability exists.
  7. Repeat steps for all the VPC Endpoints you want to investigate.

Steps for Remediation

Create at least two subnets in each VPC, utilizing one for public traffic and the other for private traffic:

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Subnets in the Virtual Private Cloud section from the left navigation pane.
  4. Click on Create Subnet.
  5. From the drop-down menu, select the vulnerable VPC ID. Fill in the additional details as per requirement and click on Create Subnet.
  6. Repeat steps for all the vulnerable VPC Endpoints.