Instances are Configured under Virtual Private Cloud

Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.

Risk Level: Medium
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.12
Covered by Spectral: No
Category: Compute

GSL LOGIC

Instance should have vpc

REMEDIATION

From Portal
Step 1: Identify EC2-Classic instances

  1. Choose Instances in the navigation pane.
  2. In the VPC ID column, the value for each EC2-Classic instance is blank or a - symbol. If the VPC ID column is not present, choose the gear icon and make the column visible.

Step 2: Create an AMI
After you've identified your EC2-Classic instance, you can create an AMI from it. Follow these links to create AMI: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-migrate.html or https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html

Step 3: Launch an instance into your VPC
After you've created an AMI, you can use the Amazon EC2 launch instance wizard to launch an instance into your VPC. The instance will have the same data and configurations as your existing EC2-Classic instance.

  1. Follow the procedure to launch an instance.
  2. Under Application and OS Images (Amazon Machine Image), choose My AMIs, ensure that Owned by me is selected, and select the AMI that you created. Alternatively, if you shared an AMI from another account, choose Shared with me, and select the AMI that you shared from your EC2-Classic account.
  3. Under Network settings, choose Edit (on the right), and do the following:
    For VPC, select your VPC.
    For Subnet, select the required subnet.
    For Security group name, select the security group that you created for your VPC.
  4. Configure any other details that you require, such as the instance type and key pair. For information about the fields in the launch instance wizard, see Launch an instance using defined parameters.
  5. In the Summary panel, review your instance configuration, and then choose Launch instance.

From Command Line
Use the following describe-instances command to identify your EC2-Classic instances. The --query parameter displays only instances where the value for VpcId is null.

aws ec2 describe-instances --query 'Reservations[*].Instances[?VpcId=='null']'

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-migrate.html
  2. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html
  3. https://aws.amazon.com/premiumsupport/knowledge-center/ssm-migrate-ec2classic-vpc/
  4. https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-migrate-ec2-classic-to-vpc.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Dashboards