Best practice rules for Amazon Virtual Private Cloud (VPC)
AWS Virtual Private Cloud (VPC) provides you with an isolated section within the AWS cloud to launch resources in a virtual network tailored to your organization. Implementing a VPC provides you with complete control of your virtual network, including configuration of network gateways and route tables, and the ability to select your IP range. Using a virtual private cloud adds another layer of security for your infrastructure, for example, by defining which resources within your AWS account have access to the internet.
Trend Micro Cloud One™ – Conformity monitors Amazon Virtual Private Cloud (VPC) with the following rules:
- AWS VPC Peering Connections Route Tables Access
Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy.
- AWS VPN Tunnel State
Ensure the state of your AWS Virtual Private Network (VPN) tunnels is UP
- Ineffective Network ACL DENY Rules
Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration.
- Managed NAT Gateway In Use
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA).
- Specific Gateway Attached To Specific VPC
Ensure that a specific Internet/NAT gateway is attached to a specific VPC.
- Unrestricted Inbound Traffic on Remote Server Administration Ports
Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389.
- Unrestricted Network ACL Inbound Traffic
Ensure no Amazon Network ACL allows inbound/ingress traffic from all ports.
- Unrestricted Network ACL Outbound Traffic
Ensure no Amazon Network ACL allows outbound/egress traffic to all ports.
- Unused VPC Internet Gateways
Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.
- Unused Virtual Private Gateways
Ensure unused Virtual Private Gateways (VGWs) are removed to follow best practices.
- VPC Endpoint Cross Account Access
Ensure Amazon VPC endpoints do not allow unknown cross account access.
- VPC Endpoint Exposed
Ensure Amazon VPC endpoints are not exposed to everyone.
- VPC Endpoints In Use
Ensure VPC endpoints are being used to connect your VPC to another AWS service.
- VPC Flow Logs Enabled
Ensure Virtual Private Cloud (VPC) Flow Logs feature is enabled in all applicable AWS regions.
- VPC Naming Conventions
Ensure AWS VPCs are using proper naming conventions to follow AWS tagging best practices.
- VPC Peering Connections To Accounts Outside AWS Organization
Ensure VPC peering communication is only between AWS accounts, members of the same AWS Organization.
- VPN Tunnel Redundancy
Ensure AWS VPNs have always two tunnels active in order to enable redundancy.