Default VPC in Use

Risk Level: Medium (should be achieved)

Ensure that your AWS cloud applications are not deployed within the default Virtual Private Cloud (VPC) in order to follow AWS cloud security best practices. A default Virtual Private Cloud is a logically isolated virtual network created automatically for your AWS account the first time you provision Amazon EC2 resources. A default VPC is suitable for getting started quickly, however, when you deploy complex applications and use multi-tier architectures, you may need to keep parts of your network private or to customize the network model, therefore it is recommended to create a non-default VPC that suits your network requirements.

Security

A default Virtual Private Cloud (VPC) is designed in such a way that you can quickly deploy AWS resources and not have to think about the underlying network. The default VPC comes with a default configuration that would not meet all AWS cloud security best practices, hence a non-default VPC should not be used for advanced applications.

Audit

To determine if the default Virtual Private Cloud (VPC) is being used within your AWS account, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the left navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.
Click inside the Filter VPCs box, select Default VPC, and choose Yes to return only the VPC network created within the current AWS region.
Select the default VPC, choose the Details tab from the console bottom panel, and copy the VPC network ID listed as value of the VPC ID attribute.
Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation panel, under Instances, choose Instances.
Click inside the Filter instances box, select VPC ID, paste the VPC network ID copied at step no. 5, and press Enter. This filtering method will return only the Amazon EC2 instances launched within the default VPC (if any). If the Amazon EC2 console returns one or more EC2 instances, the default Virtual Private Cloud (VPC) network is being used within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to return the ID of the default VPC network created in the selected AWS region:
```
aws ec2 describe-vpcs
  --region us-east-1
  --query 'Vpcs[?(IsDefault==`true`)].VpcId | []'
```
The command output should return the ID of the default VPC:
```
[
	"vpc-1234abcd"
]
```
Run describe-instances command (OSX/Linux/UNIX) using the ID of the default VPC network returned at the previous step as the identifier parameter and custom query filters to return the IDs of the Amazon EC2 instances running within the selected (default) VPC:
```
aws ec2 describe-instances
  --region us-east-1
  --filters "Name=vpc-id,Values=vpc-1234abcd"
  --query 'Reservations[*].Instances[*].InstanceId[]'
```
The command output should return the ID of the EC2 instances launched within the default VPC. Otherwise, it should return an empty array:
```
[
	"i-012345678abcdabcd",
	"i-0abcdabcd12345678"
]
```
If the describe-instances command output returns an array with one or more instance IDs, as shown in the example above, the default VPC network is being used by Amazon EC2 resources within the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To create a non-default Virtual Private Cloud (VPC) network and migrate your cloud applications to it, perform the following actions:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Use custom VPC instead of default VPC",
	"Resources": {
		"VPCNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": true,
				"EnableDnsSupport": true,
				"InstanceTenancy": "default",
				"Tags": [
					{
						"Key": "Type",
						"Value": "Custom"
					}
				]
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Use custom VPC instead of default VPC
	Resources:
	VPCNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
		EnableDnsHostnames: true
		EnableDnsSupport: true
		InstanceTenancy: default
		Tags:
			- Key: Type
			Value: Custom

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support = true
	instance_tenancy = "default"
	tags = {
		Type = "Custom"
	}
}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the left navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.
Choose Create VPC to initiate the Virtual Private Cloud (VPC) setup process.
On the Create VPC setup page, perform the following operations:
1. (Optional) For Name tag – optional, provide a unique name tag for your new VPC network.
2. For IPv4 CIDR block, specify the IPv4 address range (CIDR block) approved by your organization, for example, 10.0.0.0/16. You can't provide an IPv4 CIDR block larger than /16.
3. (Optional) For IPv6 CIDR block, choose whether to associate an Amazon-provided IPv6 CIDR block with the new VPC or to use your own IPv6 CIDR block.
4. For Tenancy, choose the appropriate tenancy option for your new VPC network. Select Dedicated to ensure that the Amazon EC2 instances launched in the new VPC are dedicated tenancy instances, regardless of the tenancy attribute specified at launch. Select Default to ensure that instances launched in the new VPC use the tenancy attribute specified at launch.
5. (Optional) If required, create one or more tag sets using the Add new tag button available in the Tags section.
6. Choose Create VPC to deploy your new Amazon Virtual Private Cloud (VPC) network. The VPC setup wizard will create automatically the required network resources (i.e. route tables, subnets, NACLs, etc.) and associate them with the new VPC.
Configure your non-default VPC network based on your application requirements and migrate your application from the default VPC to the non-default one.
If required, change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Run create-vpc command (OSX/Linux/UNIX) to create a new, non-default Virtual Private Cloud (VPC) network in the selected AWS cloud region. Configure the --cidr-block parameter with the IPv4 address range (CIDR block) approved by your organization. You can't provide an IPv4 CIDR block larger than /16. The following command example deploys a shared tenancy VPC with the IPv4 CIDR block set to 10.0.0.0/16, in the US East (N. Virginia) region:
```
aws ec2 create-vpc
  --region us-east-1
  --cidr-block 10.0.0.0/16
  --instance-tenancy default
```

The command output should return the configuration metadata available for the new VPC:

{
	"Vpc": {
		"VpcId": "vpc-0abcd1234abcd1234",
		"InstanceTenancy": "default",
		"CidrBlockAssociationSet": [
			{
				"AssociationId": "vpc-cidr-assoc-01234abcd1234abcd",
				"CidrBlock": "10.0.0.0/16",
				"CidrBlockState": {
					"State": "associated"
				}
			}
		],
		"Ipv6CidrBlockAssociationSet": [],
		"State": "pending",
		"DhcpOptionsId": "dopt-1234abcd",
		"OwnerId": "123456789012",
		"CidrBlock": "10.0.0.0/16",
		"IsDefault": false
	}
}

Run create-internet-gateway command (OSX/Linux/UNIX) to create an Internet Gateway (IGW) for the newly created Virtual Private Cloud (VPC) network:
```
aws ec2 create-internet-gateway
  --region us-east-1
```

The command output should return the metadata available for the new Internet Gateway:

{
	"InternetGateway": {
		"OwnerId": "123456789012",
		"Tags": [],
		"Attachments": [],
		"InternetGatewayId": "igw-01234abcd1234abcd"
	}
}

Run attach-internet-gateway command (OSX/Linux/UNIX) to attach the newly created Internet Gateway (IGW) to the VPC created at step no. 1 (if successful, the command does not produce an output):
```
aws ec2 attach-internet-gateway
  --region us-east-1
  --internet-gateway-id igw-01234abcd1234abcd
  --vpc-id vpc-0abcd1234abcd1234
```
Run create-subnet command (OSX/Linux/UNIX) to set up a custom subnet for your new VPC network. Choose the IPv4 network range for the new subnet (i.e. --cidr-block parameter) based on the IPv4 address range approved by your organization, configured for the VPC network created at step no. 1. Repeat this step to create as many VPC subnets as needed:
```
aws ec2 create-subnet
  --region us-east-1
  --vpc-id vpc-0abcd1234abcd1234
  --cidr-block 10.0.1.0/24
```

The command output should return the VPC subnet metadata:

{
	"Subnet": {
		"MapPublicIpOnLaunch": false,
		"AvailabilityZoneId": "use1-az2",
		"AvailableIpAddressCount": 251,
		"DefaultForAz": false,
		"SubnetArn": "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0aabbccddaabbccdd",
		"Ipv6CidrBlockAssociationSet": [],
		"VpcId": "vpc-0abcd1234abcd1234",
		"State": "available",
		"AvailabilityZone": "us-east-1c",
		"SubnetId": "subnet-0aabbccddaabbccdd",
		"OwnerId": "123456789012",
		"CidrBlock": "10.0.1.0/24",
		"AssignIpv6AddressOnCreation": false
	}
}

Run create-route-table command (OSX/Linux/UNIX) to create a route table for your new VPC network:
```
aws ec2 create-route-table
  --region us-east-1
  --vpc-id vpc-0abcd1234abcd1234
```

The command output should return the VPC route table metadata:

{
	"RouteTable": {
		"Associations": [],
		"RouteTableId": "rtb-0abcdabcdabcdabcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PropagatingVgws": [],
		"Tags": [],
		"Routes": [
			{
				"GatewayId": "local",
				"DestinationCidrBlock": "10.0.0.0/16",
				"State": "active",
				"Origin": "CreateRouteTable"
			}
		],
		"OwnerId": "123456789012"
	}
}

Run associate-route-table command (OSX/Linux/UNIX) to associate the VPC subnet(s) created at step no. 6 with the new VPC route table:

aws ec2 associate-route-table
  --region us-east-1
  --route-table-id rtb-0abcdabcdabcdabcd
  --subnet-id subnet-0aabbccddaabbccdd

The command output should return the state and the ID of the route table association:

{
	"AssociationState": {
		"State": "associated"
	},
	"AssociationId": "rtbassoc-01234123412341234"
}

Run create-route command (OSX/Linux/UNIX) to add a new route to the Amazon VPC route table deployed at the previous steps. Repeat this step to add as many routes as needed:
```
aws ec2 create-route
  --region us-east-1
  --route-table-id rtb-0abcdabcdabcdabcd
  --destination-cidr-block 0.0.0.0/0
  --gateway-id igw-01234abcd1234abcd
```
The command output should return the request status (true for success or an error message if the request fails):
```
{
	"Return": true
}
```
Configure your new Amazon VPC network based on your application requirements and migrate your application from the non-default VPC to the new VPC.
If required, change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-vpcs
create-vpc
create-internet-gateway
attach-internet-gateway
create-subnet
create-route-table
associate-route-table
create-route

Publication date Sep 10, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related VPC rules