Instance With No VPC

  • Query id: 61d1a2d0-4db8-405a-913d-5d2ce49dff6f
  • Query name: Instance With No VPC
  • Platform: Ansible
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: Start an instance and have it begin a Tower callback on boot
  community.aws.ec2_instance:
    name: "tower-callback-test"
    key_name: "prod-ssh-key"
    security_group: default
    tower_callback:
      # IP or hostname of tower server
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: "A value"
- name: Start an instance and have it begin a Tower callback on boot v2
  amazon.aws.ec2:
    key_name: mykey
    instance_type: t2.micro
    image: ami-123456
    wait: yes
    group: webserver
    count: 3
    assign_public_ip: yes

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Start an instance and have it begin a Tower callback on boot v3
  community.aws.ec2_instance:
    name: tower-callback-test
    key_name: prod-ssh-key
    vpc_subnet_id: subnet-5ca1ab1e
    security_group: default
    tower_callback:
      # IP or hostname of tower server
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: A value
- name: Start an instance and have it begin a Tower callback on boot v4
  amazon.aws.ec2:
    key_name: mykey
    instance_type: t2.micro
    image: ami-123456
    wait: yes
    group: webserver
    count: 3
    vpc_subnet_id: subnet-29e63245
    assign_public_ip: yes