Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Data-Tier VPC Subnets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that at least two subnets in two different Availability Zones (AZs) are created for your data tier. Each data-tier subnet must be located entirely in one Availability Zone and cannot span multiple zones. Availability Zones are distinct locations that are engineered to be isolated from failures occurred in other zones. By launching EC2 instances in separate AZs (separate subnets), you can protect your databases from the single point of failure. This conformity rule assumes that all AWS resources created in your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

To reach fault tolerance and high availability from the perspective of database deployment, make sure that at least two subnets in two different Availability Zones are created within your data tier.

Note: Ensure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.

Audit

To determine if there are at least two data-tier subnets available in your VPC, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Data-Tier VPC Subnets conformity rule settings and identify the tag set configured for all AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Select the VPC subnet that you want to examine.

07 Select the Tags tab from the dashboard bottom panel.

08 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <data_tier_tag>:<data_tier_tag_value>). If these two tag sets do not match, or the verified VPC resource is not tagged at all, the selected subnet is not a component of your data tier.

09 Repeat steps no. 6 – 8 to check the other subnets available within the selected VPC for data-tier tags. If none of the verified VPC subnets were tagged with <data_tier_tag>:<data_tier_tag_value>, there are no VPC subnets created for your data tier in the selected region.

10 Change the AWS region from the navigation bar and repeat steps no. 4 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Data-Tier VPC Subnets conformity rule settings and identify the tag set defined for the AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the subnets associated with your data tier, available in the selected VPC, created within US East (N. Virginia) region: 

aws ec2 describe-subnets
	--region us-east-1
	--filters Name=tag:<data_tier_tag>,Values=<data_tier_tag_value> Name=vpc-id,Values=vpc-12345678
	--query "Subnets[*].SubnetId"

03 The command output should return the requested data-tier subnet IDs: 

[]

If describe-subnets command output returns an empty array (i.e. []), as shown in the example above, there are no VPC subnets created for your data tier in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to check for VPC data-tier subnets in other regions.

Remediation / Resolution

To create VPC subnets for your data tier (at least two subnets in different AZs), perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Data-Tier VPC Subnets conformity rule settings and copy the tags configured for the AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud where you want to deploy your new data-tier subnets from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Click Create Subnet button from the dashboard top menu to start the setup process.

07 Inside Create Subnet dialog box, perform the following:

  1. Select the ID of the current VPC from the VPC dropdown list.
  2. Select the Availability Zone (AZ) where the new subnet will be provisioned from the Availability Zone dropdown list.
  3. Enter the CIDR block (e.g. 10.0.20.0/24) for the new subnet in the IPv4 CIDR block box. The CIDR block of the subnet shouldn't be the same as the CIDR block for the VPC, listed in the VPC CIDRs section, however, this needs to be within the CIDR ranges of the selected VPC. The allowed block size must be between a /16 netmask and a /28 netmask. Since you need to create more than one subnet, make sure that the CIDR blocks of the new subnets do not overlap.
  4. Click Yes, Create to create your new data-tier subnet.

08 Choose the newly created data-tier subnet and select the Tags tab from the dashboard bottom panel.

09 On the Tags panel, click Edit button to add the tags that will help organize the identity of the selected subnet within your data tier. Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and ensure that the tag name (<data_tier_tag>) and the tag value (<data_tier_tag_value>) match the tag set copied at step no. 1. Once your tags are created, click Save to apply the changes.

10 Repeat steps no. 6 – 9 to create more data-tier subnets (at least one more in a different AZ), inside the selected Virtual Private Cloud (VPC).

11 If required, change the AWS region from the navigation bar and repeat steps no. 4 – 8 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Data-Tier VPC Subnets conformity rule settings and copy the tags defined for the AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run create-subnet command (OSX/Linux/UNIX) to create a new data-tier subnet within the selected VPC (see Audit section part II to identify the right AWS resource). The following command example creates a data-tier subnet with a CIDR block set to "10.0.20.0/24", inside an AWS VPC identified by the ID "vpc-12345678", available in the US East (N. Virginia) region: 

aws ec2 create-subnet
	--region us-east-1
	--availability-zone us-east-1a
	--vpc-id vpc-abcd1234
	--cidr-block 10.0.1.0/24

03 The command output should return the new subnet metadata: 

{
    "Subnet": {
        "AvailabilityZone": "us-east-1b",
        "AvailableIpAddressCount": 251,
        "DefaultForAz": false,
        "Ipv6CidrBlockAssociationSet": [],
        "VpcId": "vpc-12345678",
        "State": "pending",
        "MapPublicIpOnLaunch": false,
        "SubnetId": "subnet-ccccdddd",
        "CidrBlock": "10.0.20.0/24",
        "AssignIpv6AddressOnCreation": false
    }
}

04 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created data-tier subnet as identifier to create tags for managing the identity of the new VPC resource. Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and make sure the tag name (<data_tier_tag>) and the tag value (<data_tier_tag_value>) match the tag set used to organize your data-tier resources, copied at step no. 1. Replace <data_tier_tag> and <data_tier_tag_value> with your own tags (the command does not produce an output): 

aws ec2 create-tags
	--region us-east-1
	--resources subnet-ccccdddd
	--tags Key=<data_tier_tag>,Value=<data_tier_tag_value>

05 Repeat steps no. 2 – 4 to create more data-tier subnets (at least one more in a different AZ), inside the selected Amazon VPC.

06 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 for other regions.

References

Publication date May 5, 2018

Related VPC rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Create Data-Tier VPC Subnets

Risk Level: Medium