Instance With No VPC
- Query id: 8a6d36cd-0bc6-42b7-92c4-67acc8576861
- Query name: Instance With No VPC
- Platform: CloudFormation
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]]
InternetGateway:
Type: AWS::EC2::InternetGateway
DependsOn: VPC
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.1.10.0/24
AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Public-A
Ec2Instance-01:
Type: AWS::EC2::Instance
Properties:
ImageId: "some-ec2-image"
Fn::FindInMap:
- "RegionMap"
- Ref: "AWS::Region"
- "AMI"
KeyName: "some-rsa-key"
Ref: "KeyName"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: 0
SubnetId: !Ref PublicSubnetA
Positive test num. 2 - yaml file
Resources:
Ec2Instance-02:
Type: AWS::EC2::Instance
Properties:
ImageId: "some-ec2-image"
Fn::FindInMap:
- "RegionMap"
- Ref: "AWS::Region"
- "AMI"
KeyName: "some-rsa-key"
Ref: "KeyName"
Positive test num. 3 - json file
{
"Resources": {
"VPC": {
"Properties": {
"Tags": [
{
"Value": [
"",
[
"AWS::StackName",
"-VPC"
]
],
"Key": "Name"
}
],
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": true,
"EnableDnsHostnames": true
},
"Type": "AWS::EC2::VPC"
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"DependsOn": "VPC"
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": "VPC",
"InternetGatewayId": "InternetGateway"
}
},
"PublicSubnetA": {
"Properties": {
"CidrBlock": "10.1.10.0/24",
"AvailabilityZone": [
0,
""
],
"Tags": [
{
"Key": "Name",
"Value": "${AWS::StackName}-Public-A"
}
]
},
"Type": "AWS::EC2::Subnet"
},
"Ec2Instance-01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
],
"KeyName": "some-rsa-key",
"Ref": "KeyName",
"NetworkInterfaces": [
{
"AssociatePublicIpAddress": "true",
"DeviceIndex": 0,
"SubnetId": "PublicSubnetA"
}
],
"ImageId": "some-ec2-image"
}
}
}
}
Positive test num. 4 - json file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]]
InternetGateway:
Type: AWS::EC2::InternetGateway
DependsOn: VPC
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.10.0/24
AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Public-A
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: 'some-ec2-image'
Fn::FindInMap:
- "RegionMap"
- Ref: "AWS::Region"
- "AMI"
KeyName: 'some-rsa-key'
Ref: "KeyName"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: 0
SubnetId: !Ref PublicSubnetA
Negative test num. 2 - json file
{
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": [
"",
[
"AWS::StackName",
"-VPC"
]
]
}
],
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": true,
"EnableDnsHostnames": true
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"DependsOn": "VPC"
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": "VPC",
"InternetGatewayId": "InternetGateway"
}
},
"PublicSubnetA": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.1.10.0/24",
"AvailabilityZone": [
0,
""
],
"Tags": [
{
"Value": "${AWS::StackName}-Public-A",
"Key": "Name"
}
],
"VpcId": "VPC"
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName": "some-rsa-key",
"Ref": "KeyName",
"NetworkInterfaces": [
{
"AssociatePublicIpAddress": "true",
"DeviceIndex": 0,
"SubnetId": "PublicSubnetA"
}
],
"ImageId": "some-ec2-image",
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
}
}
}
}