Profile Applicability:

  • Level 1

Description:

VPC (Virtual Private Cloud) in AWS is used to isolate and manage your cloud resources. Within a VPC, subnets are used to divide the network space. Public subnets are used for resources that need direct access to the internet, such as web servers, load balancers, etc., while private subnets are used for resources that should not be directly accessible from the internet, such as databases, internal application servers, etc. This SOP ensures that every VPC has both public and private subnets defined, allowing for better security and resource organization.

Rationale:

Creating both public and private subnets within a VPC helps to segregate resources based on their accessibility requirements:

  • Public subnets are used for resources that need direct internet access (e.g., load balancers, bastion hosts).

  • Private subnets are used for internal resources that should be protected from the internet (e.g., application servers, databases). This setup helps with better security and traffic management, ensuring that sensitive resources are isolated from external access.

Impact:

Pros:

  • Improved Security: Sensitive resources in private subnets are not exposed to the internet.

  • Better Traffic Management: Resources that need internet access can reside in public subnets, while private resources are kept within internal subnets.

  • Compliance: Helps meet network segmentation requirements in various compliance frameworks like PCI-DSS, SOC 2, etc.

Cons:

  • Increased Complexity: Additional configuration is needed for routing and access controls.

  • Cost: NAT Gateways or VPN connections may be required for private subnets to access the internet, which adds additional costs.

Default Value:

By default, VPCs do not have public and private subnets defined. You need to explicitly create both types of subnets when setting up the VPC.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcs

    • ec2:DescribeSubnets

    • ec2:CreateSubnet

    • ec2:ModifyVpcAttribute

  • AWS CLI installed and configured.

  • Basic knowledge of VPC design, subnetting, and AWS networking.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select Your VPCs.

  4. For each VPC, ensure it contains:

    • At least one public subnet (with Auto-assign Public IP enabled).

    • At least one private subnet (with Auto-assign Public IP disabled).

  5. Check the Route Tables:

    • Public subnets should have a route to an Internet Gateway.

    • Private subnets should have a route to a NAT Gateway or VPN connection for outbound traffic.

Using AWS CLI:

To list all VPCs and their associated subnets, run:

aws ec2 describe-vpcs --query 'Vpcs[*].VpcId'
aws ec2 describe-subnets --query 'Subnets[*].{SubnetId:SubnetId,VpcId:VpcId,MapPublicIpOnLaunch:MapPublicIpOnLaunch}'

Review the MapPublicIpOnLaunch attribute:

  • For public subnets, MapPublicIpOnLaunch should be true.

  • For private subnetsMapPublicIpOnLaunch should be false.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to VPC.

  3. In the VPC Dashboard, choose Subnets under the Virtual Private Cloud section.

  4. Review each VPC to ensure that both public and private subnets exist.

  5. If public subnets are missing, click Create Subnet and select a public subnet configuration (enable Auto-assign Public IP).

  6. If private subnets are missing, click Create Subnet and select a private subnet configuration (disable Auto-assign Public IP).

  7. For public subnets, ensure there is a route to the Internet Gateway in the Route Table.

  8. For private subnets, ensure there is a route to the NAT Gateway in the Route Table.

Using AWS CLI:

To create a public subnet, run the following command:

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block> --availability-zone <zone> --map-public-ip-on-launch

To create a private subnet, run:

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block> --availability-zone <zone> --no-map-public-ip-on-launch

To associate a public subnet with an Internet Gateway, create a route:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <internet-gateway-id>

To associate a private subnet with a NAT Gateway, create a route:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --nat-gateway-id <nat-gateway-id

Verify the subnet creation and routing:

aws ec2 describe-subnets --query 'Subnets[*].{ID:SubnetId,VpcId:VpcId,MapPublicIpOnLaunch:MapPublicIpOnLaunch}'

Backout Plan:

If creating or modifying subnets results in misconfigurations:

Identify the affected subnet and route tables.

Delete the misconfigured subnet:

aws ec2 delete-subnet --subnet-id <subnet-id>

Revert any changes to route tables that were incorrectly applied:

aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0

Verify that the VPC and its subnets are functioning correctly.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.