Description:

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.


Rationale:

The instances in the public subnet can send outbound traffic directly to the internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the internet for software updates using the NAT gateway, but the internet cannot establish connections to the database servers. Ensure that no EC2 instances are provisioned in public subnets in order to protect them from exposure to the Internet. 


Impact:

By provisioning EC2 instances within a private subnet (logically isolated section of VPC) you will prevent these instances from receiving inbound traffic initiated by someone on the Internet, therefore have a stronger guarantee that no malicious requests can reach your instances.


Default Value:

By default, a default subnet is public, and instances using these subnets will be publicly available. 


Audit:

Step 1: Sign into the AWS Management Console.

Step 2: Open to EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Instances in the left navigation pane

Step 4: Select the EC2 instance that you want to examine. 

Step 5: Select the Description tab from the dashboard bottom panel. 

Step 6: In the left column, identify the Subnet ID attribute and copy its value.  

Step 7: Go to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.  

Step 8: Click on Subnets In the navigation pane

Step 9: Paste the subnet ID copied in the dashboard search box and then press Enter. 

Step 10: Select the VPC subnet returned as result and click the Route Table tab. If the route table contains any entries with the destination CIDR block set to 0.0.0.0/0 and with an Internet Gateway (e.g. igw-xxxxxxxx) attached: 

It means the selected instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment.


Remediation:

Pre-Requisite:

  • Sign in as admin or IAM user with required permissions

  • Take a snapshot of the instance as a backup


Implementation Steps: 

Step 1: Sign into the AWS Management Console.

Step 2: Create an image of the EC2 instance that you want to migrate. To create the Amazon Machine Image (AMI), perform the following:

  1. Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/

  2. Click on the Instances in the left navigation pane 

  3. you can select the instance for which you want to modify

  • To take an Image follow the steps:

    • Click on the Actions button, select Image and templates, and click on Create Image

    • Provide all the details to create image(like image name, Description, etc.) 

      Note: Leave No reboot unchecked

    • Click on create Image

Step 3:Once the Amazon Machine Image is ready, use it to (re)launch the selected backend instance within your VPC private subnet. To launch the instance, perform the following actions:

  • Click on AMIs in the left navigation pane

  • Select the image you created now and click on Launch

  • Select the same instance type used by the source instance, on Choose an Instance Type page, then click Next: Configure Instance Details button.
  • On the Configure Instance Details page, select the private subnet that you want to use from the Subnet dropdown list and configure any other options available on the page based on your running backend instance attributes.
    Note: Use existing private subnet if exist or you can create a new one

  • Click Next: Add Tags, add tags as per your requirement

  • Choose Select an existing security group and select the security group attached to the source EC2 instance, on Configure Security Groups.

  • Click the Review and Launch button, review your instance configuration details and click Launch.

  • Select an existing key pair or create a new key pair dialog box, select an existing key pair, and use the same key pair as the source instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.

Step 4: To shut down the instance, perform the following:

  1. Click on the Instances in the left navigation pane

  2. Select the instance that you want to terminate.

  3. Click the Actions, select Instance State, and click Terminate.

  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate


Backout plan:

We can not change the subnet directly, in case if you want to modify the subnet then follow the same implementation steps and choose the required subnet.


Reference:

VPC with public and private subnets (NAT) - Amazon Virtual Private Cloud 

Default VPC and default subnets - Amazon Virtual Private Cloud