Profile Applicability:

  • Level 1

Description:

A VPC (Virtual Private Cloud) for Amazon Workspaces is used to provision and manage isolated environments for Workspaces instances. To meet best practices for high availability and security, the Workspaces VPC should have a specific architecture:

  • 1 Public Subnet for resources that require direct internet access, such as NAT Gateway.

  • 2 Private Subnets for secure internal resources, such as Workspaces instances, which do not require direct internet access.

  • A NAT Gateway in the public subnet to allow private subnets to access the internet for necessary updates, downloads, etc., without exposing them directly to the internet.

This SOP ensures that your Amazon Workspaces VPC is deployed according to best practices, improving security, availability, and network segmentation.

Rationale:

This architecture improves the availability and security of Workspaces environments by separating public-facing resources from internal resources and applying controlled internet access:

  • Public Subnet: Hosts the NAT Gateway and allows access to public internet resources.

  • Private Subnets: Host the Workspaces instances, ensuring they are isolated from the internet and reducing the attack surface.

  • NAT Gateway: Provides secure internet access for instances in the private subnets without exposing them to the public internet.

By following this setup, organizations can:

  • Protect Workspaces from direct exposure to the internet.

  • Maintain Network Segmentation: Different types of resources are isolated based on their role (public vs. private).

  • Enable Secure Internet Access: Resources in private subnets can still access the internet via the NAT Gateway.

Impact:

Pros:

  • Enhanced Security: Isolates internal Workspaces instances from direct internet exposure while maintaining necessary internet access.

  • High Availability: The architecture can be easily scaled for high availability by deploying the NAT Gateway across multiple availability zones (AZs).

  • Simplified Management: Using private subnets for internal resources helps ensure proper network segmentation and access control.

  • Compliance: Meets best practices and security standards for VPC design, often required by compliance frameworks like SOC 2PCI-DSS, and HIPAA.

Cons:

  • Increased Complexity: More networking resources need to be managed, including public and private subnets, routing tables, and NAT Gateway configurations.

  • Cost: A NAT Gateway incurs additional costs for data processing and data transfer, especially for large volumes of traffic.

  • Networking Overhead: Configuring the NAT Gateway and ensuring proper routing can add operational overhead.

Default Value:

By default, Amazon Workspaces does not enforce any specific VPC architecture. VPCs must be manually configured to follow best practices for public and private subnet design with a NAT Gateway.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcs

    • ec2:CreateVpc

    • ec2:DescribeSubnets

    • ec2:CreateSubnet

    • ec2:CreateNatGateway

    • ec2:CreateRoute

    • ec2:DescribeInternetGateways

  • AWS CLI installed and configured.

  • Basic understanding of VPC design, subnetting, AWS networking, and NAT Gateway configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, verify that the VPC contains:

    • 1 public subnet with the NAT Gateway attached.

    • 2 private subnets where the Workspaces instances will reside.

  4. Verify the following configurations:

    • The public subnet has a route to the Internet Gateway.

    • The private subnets have a route to the NAT Gateway for internet access.

  5. Ensure that the NAT Gateway is deployed in the public subnet and is configured to route traffic from private subnets to the internet.

Using AWS CLI:

To list the subnets and confirm public/private subnet configurations, run:

aws ec2 describe-subnets --query 'Subnets[*].[SubnetId,VpcId,MapPublicIpOnLaunch,AvailabilityZone]' --output table

  1. Verify that the MapPublicIpOnLaunch field is set to true for the public subnet, and false for the private subnets.

To list the NAT Gateway, run:

aws ec2 describe-nat-gateways --query 'NatGateways[*].{ID:NatGatewayId,SubnetId:SubnetId}' --output table

  1. Confirm that the NAT Gateway is deployed in the public subnet and is active.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC.

  3. In the VPC Dashboard, create a VPC and configure it with at least 3 subnets:

    • 1 public subnet with Auto-assign Public IP enabled.

    • 2 private subnets with Auto-assign Public IP disabled.

  4. Create an Internet Gateway and attach it to the VPC.

  5. Create a NAT Gateway in the public subnet and associate it with an Elastic IP.

  6. Modify the Route Tables:

    • Public subnet: Add a route to the Internet Gateway (0.0.0.0/0).

    • Private subnets: Add a route to the NAT Gateway (0.0.0.0/0).

  7. Verify that the routing and subnet configurations are correctly applied.

Using AWS CLI:

To create a VPC, run:

aws ec2 create-vpc --cidr-block <cidr-block>


To create a public subnet in an AZ:

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block> --availability-zone <zone> --map-public-ip-on-launch true

To create private subnets in two different AZs:

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <cidr-block> --availability-zone <zone> --map-public-ip-on-launch false

To create a NAT Gateway in the public subnet, first allocate an Elastic IP and then create the NAT Gateway:

aws ec2 allocate-address --domain vpc
aws ec2 create-nat-gateway --subnet-id <public-subnet-id> --allocation-id <eip-allocation-id>

  1. Modify the Route Tables:

    • Add a route to the Internet Gateway for the public subnet.

    • Add a route to the NAT Gateway for the private subnets.

Verify the configuration by describing the VPC, subnets, and NAT Gateway:

 aws ec2 describe-vpcs
aws ec2 describe-subnets
aws ec2 describe-nat-gateways

Backout Plan:

  1. Delete NAT Gateway:

    • Go to VPC > NAT Gateways and delete the NAT Gateway.

  2. Update Route Tables:

    • Go to Route Tables and remove the route pointing to the NAT Gateway.

    • Add a route to the Internet Gateway if needed.

  3. Validate:

    • Ensure WorkSpaces can connect to necessary resources and are functioning.

CLI Process

Delete NAT Gateway:

aws ec2 delete-nat-gateway --nat-gateway-id <nat-gateway-id>

  1. Update Route Tables:

Remove NAT Gateway route:

aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0

Add route to Internet Gateway if required:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <internet-gateway-id>

  1. Verify Changes:

    aws ec2 describe-route-tables

Note :

  • NAT Gateway Cost: Remember that using a NAT Gateway incurs additional costs for data processing and data transfer, so monitor your usage.

  • Availability Zones: Consider deploying the NAT Gateway in multiple Availability Zones (if required for high availability) for better fault tolerance.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.