Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create App-Tier VPC Subnets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that at least two subnets in two different Availability Zones (AZs) are created for your app tier. Each app-tier subnet must reside entirely within one Availability Zone and cannot span multiple zones. Amazon Availability Zones are distinct locations that are engineered to be isolated from failures occurred in other zones. By launching EC2 instances in separate subnets (separate AZs), you can protect your applications from the failure of a single location. This conformity rule assumes that all AWS resources provisioned for your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be defined in the rule settings, on your Cloud Conformity account dashboard.

Security

To achieve fault tolerance and high availability from the perspective of web-tier resource deployment, make sure that at least two subnets in two different Availability Zones are created within your web tier.

Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.


Audit

To determine if there are at least two web-tier subnets available within your VPC, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Web-Tier VPC Subnets conformity rule settings and identify the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Select the VPC subnet that you want to examine.

07 Select the Tags tab from the dashboard bottom panel.

08 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <web_tier_tag>:<web_tier_tag_value>). If these two tag sets do not match, or the verified VPC resource is not tagged at all, the selected subnet is not a component of your web tier.

09 Repeat steps no. 6 – 8 to check the other subnets available within the selected VPC for web-tier tags. If none of the verified VPC subnets were tagged with <web_tier_tag>:<web_tier_tag_value>, there are no VPC subnets created for your web tier in the selected region.

10 Change the AWS region from the navigation bar and repeat steps no. 4 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Web-Tier VPC Subnets conformity rule settings and identify the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the subnets associated with your web tier, available in the selected VPC, created within US East (N. Virginia) region:

aws ec2 describe-subnets
	--region us-east-1
	--filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value> Name=vpc-id,Values=vpc-abcd1234
	--query "Subnets[*].SubnetId"

03 The command output should return the requested web-tier subnet IDs:

[]

If describe-subnets command output returns an empty array (i.e. []), as shown in the example above, there are no VPC subnets created for your web tier in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to check for VPC web-tier subnets within other regions.

Remediation / Resolution

To create VPC subnets for your web tier (at least two subnets in different AZs), perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Web-Tier VPC Subnets conformity rule settings and copy the tags defined for the AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud where you want to deploy your new web-tier subnets from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Click Create Subnet button from the dashboard top menu to initiate the subnet setup process.

07 Inside Create Subnet dialog box, perform the following:

  1. Select the ID of the current VPC from the VPC dropdown list.
  2. Select the Availability Zone (AZ) where the new web-tier subnet will reside from the Availability Zone dropdown list.
  3. Enter the CIDR block (e.g. 10.0.0.0/24) for the new subnet in the IPv4 CIDR block box. The CIDR block of the subnet shouldn't be the same as the CIDR block for the VPC, listed in the VPC CIDRs section, but needs to be within the CIDR ranges of the selected VPC. The allowed block size must be between a /16 netmask and a /28 netmask. Since you need to create more than one subnet, make sure that the CIDR blocks of the new subnets do not overlap.
  4. Click Yes, Create to generate your new web-tier subnet.

08 Choose the newly created web-tier subnet and select the Tags tab from the dashboard bottom panel.

09 On the Tags panel, click Edit button to add the tags that will help organize the identity of the selected subnet within the web tier. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and ensure that the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Once your tags are defined, click Save to apply the changes.

10 Repeat steps no. 6 – 9 to create more web-tier subnets (at least one more in a different AZ), inside the selected Virtual Private Cloud (VPC).

11 If required, change the AWS region from the navigation bar and repeat steps no. 4 – 8 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Web-Tier VPC Subnets conformity rule settings and copy the tags defined for the AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run create-subnet command (OSX/Linux/UNIX) to create a new web-tier subnet within the selected VPC (see Audit section part II to identify the right resource). The following command example creates a web-tier subnet with a CIDR block set to "10.0.1.0/24", inside an AWS VPC identified by the ID "vpc-abcd1234", available in the US East (N. Virginia) region:

aws ec2 create-subnet
	--region us-east-1
	--availability-zone us-east-1a
	--vpc-id vpc-abcd1234
	--cidr-block 10.0.1.0/24

03 The command output should return the new VPC subnet metadata:

{
    "Subnet": {
        "AvailabilityZone": "us-east-1a",
        "AvailableIpAddressCount": 251,
        "DefaultForAz": false,
        "Ipv6CidrBlockAssociationSet": [],
        "VpcId": "vpc-abcd1234",
        "State": "pending",
        "MapPublicIpOnLaunch": false,
        "SubnetId": "subnet-aaaabbbb",
        "CidrBlock": "10.0.1.0/24",
        "AssignIpv6AddressOnCreation": false
    }
} 

04 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created web-tier subnet as identifier to create tags for managing the identity of the new resource. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Replace <web_tier_tag> and <web_tier_tag_value> (highlighted) with your own values (the command does not produce an output):

aws ec2 create-tags
	--region us-east-1
	--resources subnet-aaaabbbb
	--tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

05 Repeat steps no. 2 – 4 to create more web-tier subnets (at least one more in a different AZ), inside the selected Virtual Private Cloud (VPC).

06 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 for other regions.

References

Publication date May 5, 2018