EC2 Instance Using Default VPC

  • Query id: e42a3ef0-5325-4667-84bf-075ba1c9d58e
  • Query name: EC2 Instance Using Default VPC
  • Platform: CloudFormation
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

EC2 Instances should not be configured under a default VPC network
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  DefaultVPC:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      SubnetId: !Ref PublicSubnetA2
  PublicSubnetA2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref DefaultVPC
      CidrBlock: 10.1.10.0/24
      AvailabilityZone: !Select [ 0, !GetAZs ]    # Obtenha o primeiro AZ na lista
      Tags:
          - Key: Name
            Value: !Sub ${AWS::StackName}-Public-A
Positive test num. 2 - json file
{
  "Resources": {
    "DefaultVPC": {
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "SubnetId": "PublicSubnetA2"
      },
      "Type": "AWS::EC2::Instance"
    },
    "PublicSubnetA2": {
      "Properties": {
        "AvailabilityZone": [
          0,
          ""
        ],
        "CidrBlock": "10.1.10.0/24",
        "Tags": [
          {
            "Key": "Name",
            "Value": "${AWS::StackName}-Public-A"
          }
        ],
        "VpcId": "DefaultVPC"
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  DefaultVPC:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      SubnetId: !Ref PublicSubnetA22
  PublicSubnetA22:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.1.10.0/24
      AvailabilityZone: !Select [ 0, !GetAZs ]    # Obtenha o primeiro AZ na lista
      Tags:
          - Key: Name
            Value: !Sub ${AWS::StackName}-Public-A
Negative test num. 2 - json file
{
  "Resources": {
    "DefaultVPC": {
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "SubnetId": "PublicSubnetA22"
      },
      "Type": "AWS::EC2::Instance"
    },
    "PublicSubnetA22": {
      "Properties": {
        "AvailabilityZone": [
          0,
          ""
        ],
        "CidrBlock": "10.1.10.0/24",
        "Tags": [
          {
            "Key": "Name",
            "Value": "${AWS::StackName}-Public-A"
          }
        ],
        "VpcId": "VPC"
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}