Ensure that at least two subnets in two different Availability Zones (AZs) are created for your app tier. Each app-tier subnet must reside entirely within one Availability Zone and cannot span multiple zones. Amazon Availability Zones are distinct locations that are engineered to be isolated from failures occurred in other zones. By launching EC2 instances in separate subnets (separate AZs), you can protect your applications from the failure of a single location. This conformity rule assumes that all AWS resources provisioned for your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be defined in the rule settings, on your Cloud Conformity account dashboard.
To achieve fault tolerance and high availability from the perspective of web-tier resource deployment, make sure that at least two subnets in two different Availability Zones are created within your web tier.
Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if there are at least two web-tier subnets available within your VPC, perform the following actions:
Remediation / Resolution
To create VPC subnets for your web tier (at least two subnets in different AZs), perform the following actions:
References
- AWS Documentation
- What Is Amazon VPC?
- VPCs and Subnets
- Working with VPCs and Subnets
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-subnets
- create-subnet
- create-tags