iCompaas Support

Profile Applicability:

• Level 1

Description:
Creating a Virtual Private Cloud (VPC) allows you to launch AWS resources in a logically isolated network. It provides complete control over networking configurations, such as subnets, IP ranges, route tables, and security groups.

Rationale:
 By using a VPC, you can isolate databases from the public internet, control traffic at the subnet level, and enforce network segmentation. This is a critical foundational step in secure AWS deployments, particularly for database services.

Impact:
 Pros:

• Improved network security and isolation
  

• Better control over traffic routing and firewall rules
  

• Supports high availability and disaster recovery setups
  

Cons:

• Misconfigured settings can lead to unintentional exposure or blocked communication
  

• Additional planning required for IP addressing and subnet layout
  

Default Value:
 No VPC is created by default for your database; it must be configured manually or during service provisioning.

Pre-requisites:

• AWS account with required IAM permissions
  

• Subnet and CIDR planning
  

• Optional: knowledge of Internet Gateway, NAT, and route tables
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to VPC Dashboard
   

3. Click on Your VPCs and confirm a VPC is created with a valid CIDR range
   

4. Ensure subnets are present and belong to the VPC
   

5. Confirm security groups and route tables are configured properly
   

6. Check that database services (RDS, DocumentDB) are deployed in the selected VPC
   

Using AWS CLI:

1. List existing VPCs:
   

    aws ec2 describe-vpcs

2. List subnets in a VPC:

   aws ec2 describe-subnets --filters Name=vpc-id,Values=<vpc-id>

3. List security groups in a VPC:
   

   aws ec2 describe-security-groups --filters Name=vpc-id,Values=<vpc-id>

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Go to VPC > Create VPC
   

3. Choose VPC only or VPC and more
   

4. Enter a name and a CIDR block (e.g., 10.0.0.0/16)
   

5. Click Create VPC
   

6. Navigate to Subnets > Create subnet
   

7. Select the VPC and specify subnet details (name, AZ, CIDR)
   

8. Go to Security Groups > Create security group
   

9. Assign the security group to the VPC and define inbound/outbound rules
   

10. Attach this VPC during database creation
    

Using AWS CLI:

1. Create a VPC:
   

    aws ec2 create-vpc --cidr-block 10.0.0.0/16

2. Create a subnet: 

   aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24 --availability-zone us-east-1a

3. Create a security group:
   

    aws ec2 create-security-group --group-name MyDBSG --description "DB access group" --vpc-id <vpc-id>

4. Authorize inbound access to the database port:
   

   aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr <your-ip>/32

5. (Optional) Authorize outbound traffic:
   

    aws ec2 authorize-security-group-egress --group-id <sg-id> --protocol -1 --port all --cidr 0.0.0.0/0

Backout Plan

Using AWS Console:

1. Go to VPC Dashboard > Subnets, select and delete subnets
   

2. Go to Security Groups, select and delete the group
   

3. Go to Your VPCs, select and delete the VPC
   

Using AWS CLI:

1. Delete the security group:
   

    aws ec2 delete-security-group --group-id <sg-id>

2. Delete the subnet:
   

    aws ec2 delete-subnet --subnet-id <subnet-id>

3. Delete the VPC:
   

    aws ec2 delete-vpc --vpc-id <vpc-id>

References:

• Amazon VPC Documentation
  

• CIS AWS Database Services Benchmark v1.0.0, Section 3.3