Instances with Direct Connect virtual interface should not have public interfaces

Ensure that instances with direct connect virtual interface do not have public interfaces

Risk Level: Critical
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.27
Covered by Spectral: No
Category: Compute

GSL LOGIC

Instance where vpc.vpnGateways contain [directConnectVirtualInterfaces] should have isPublic=false

REMEDIATION

From Portal

  1. Login to the AWS Management Console.
  2. Select direct connect service and go to virtual interfaces tab
  3. Verify if any public virtual interface is associated with any instance.
  4. Make sure to fix the configuration to avoid public internet routing through your direct connect interfaces

References

  1. https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
  2. For creating private virtual interface: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset