Amazon EC2

VPC Subnet Instances Present

This plugin ensures that there are instances attached to every subnet

Risk Level: Low

Description

This plugin ensures that there are instances attached to every subnet. All subnets should have instances associated. Exceeding per account limits due to these unused subnets could prevent resources from launching. This can result in difficulties in properly scaling your infrastructure.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

In case, the number of subnets exceeds the configured limit, new subnets could not be launched. This can be a blocker for scaling up your infrastructure. Therefore, it is recommended to delete the subnets not attached to any instance.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Subnets in the Virtual Private Cloud section from the left navigation pane.
  4. From the list of subnets, copy the Subnet ID you wish to investigate.
  5. Now, switch to the EC2 dashboard. Move to the Instances from the Instances section in the left navigation pane.
  6. In the Filter bar, type Subnet ID and then paste the subnet ID copied before. A list of instances associated with the subnet will appear. If no instances are displayed, the vulnerability exists. 
  7. Repeat steps for all the Subnets you want to investigate.

Steps for Remediation

Follow these steps to delete the unused VPC Subnets:

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Subnets in the Virtual Private Cloud section from the left navigation pane.
  4. From the list of subnets, select the vulnerable subnet by clicking on the checkbox next to the Subnet ID.
  5. From the Actions menu, click on Delete subnet.
  6. Repeat steps for all the vulnerable Subnets.