Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Route Table for Private Subnets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that a custom route table is created and associated with your private subnets in order to control the subnets routing. A route table contains a set of routes that are used to determine where the network traffic is directed. The custom route table associated with private subnets should contain only the default route (0.0.0.0/0) pointing to an AWS NAT Gateway. A private subnet can be associated only with one route table at a time, however, you can associate multiple private subnets with the same route table. This conformity rule assumes that the private subnets created for specific tiers within your VPC are tagged with <web_tier_tag>:<web_tier_tag_value> for web tier, <app_tier_tag>:<app_tier_tag_value> for app tier and <data_tier_tag>:<data_tier_tag_value> for the data tier, where <web/app/data_tier_tag> is the tag name and <web/app/data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web/app/data tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

To control the routing for your private subnets you need to create custom route tables. Once these VPC resources are created, all the subnets which should be private within web, app and data tiers can be explicitly associated with the new route tables.

Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value>, <app_tier_tag>:<app_tier_tag_value> and <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value.


Audit

To determine if the private subnets created for your web, app and data tiers are associated with custom route tables, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Route Table for Private Subnets conformity rule settings and identify the tag sets defined for the subnets available within your web, app and data tiers (e.g. <web_tier_tag>:<web_tier_tag_value>, <app_tier_tag>:<app_tier_tag_value> and <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Select the VPC subnet that you want to examine.

07 Select the Tags tab from the dashboard bottom panel.

08 On the Tags panel, search for the tag sets identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value> for web tier, <app_tier_tag>:<app_tier_tag_value> for app tier and <data_tier_tag>:<data_tier_tag_value> for data tier). If the tag set defined for each tier does not match with the one applied to the selected resource, or the verified resource is not tagged at all, the verified VPC subnet is not a web/app/data private subnet and the audit process ends here. If the tag sets match, the selected resource is a private subnet within the web, app or data tier and the audit process continues with the next step.

09 Select the Summary tab from the dashboard bottom panel.

10 Click on the Route table configuration attribute value (link) to access the subnet route table.

11 Select the associated route table and choose the Routes tab from the dashboard bottom panel. Check the existing routes to determine if these contain the default route (i.e. the route with the Destination attribute set to 0.0.0.0/0) pointing to an AWS NAT Gateway (e.g. nat-01234567890abcabc). If there is no such route created, the selected web/app/data private subnet is not currently associated with a custom route table.

12 Repeat steps no. 6 – 11 to check the other private subnets available within the web, app or data tiers for custom route tables. If none of the verified VPC subnets are associated with a route table that has a route over a NAT gateway (the destination is 0.0.0.0/0 and the target is the VPC’s NAT Gateway), there is no custom route table created for your web/app/data private subnets in the selected region.

13 Change the AWS region from the navigation bar and repeat steps no. 4 – 12 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Route Table for Private Subnets conformity rule settings and identify the tag sets defined for the subnets available within your web, app and data tiers (e.g. <web_tier_tag>:<web_tier_tag_value>, <app_tier_tag>:<app_tier_tag_value> and <data_tier_tag>:<data_tier_tag_value>).

02 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the private subnets, available in the web, app and data tiers, created within US East (N. Virginia) region:

aws ec2 describe-subnets
	--region us-east-1
	--filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value> Name=tag:<app_tier_tag>,Values=<app_tier_tag_value> Name=tag:<data_tier_tag>,Values=<data_tier_tag_value> Name=vpc-id,Values=vpc-1234abcd
	--query "Subnets[*].SubnetId"

03 The command output should return the requested web, app and data-tier subnet IDs:

[
    "subnet-aaaabbbb",
    "subnet-bbbbcccc",
    "subnet-ccccdddd"
]

04 Run describe-route-tables command (OSX/Linux/UNIX) to describe the routes configured for the route tables associated with the web, app and data private subnets returned at the previous step, available in the selected AWS region:

aws ec2 describe-route-tables
	--region us-east-1
	--filters Name=association.subnet-id,Values=subnet-aaaabbbb,subnet-bbbbcccc subnet-ccccdddd
	--query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

05 The command output should return the existing route(s) for the selected route table:

[
    {
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.15.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ],
        "RouteTableId": "rtb-abcd1234"
    }
]

Check the routes returned by the describe-subnets command output to determine if these contain a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "GatewayId" attribute set to an AWS NAT Gateway (e.g. "nat-01234567890abcabc"). If the command output does not return such a route, there is no custom route table created for your web/app/data private subnets in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 for other regions.

Remediation / Resolution

To create a custom route table and associate it with your web/app/data private subnets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud where you want to deploy your new web-tier subnets from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Route Tables.

05 Click Create Route Table button from the dashboard top menu to initiate the table setup process.

06 Inside Create Route Table dialog box, provide a name for your route table in the Name tag box then select your VPC ID from VPC dropdown list. Once set, click Yes, Create to create your new custom route table.

07 Choose the newly created route table and select the Routes tab from the dashboard bottom panel.

08 On the Routes panel, choose Edit then click Add another rule button add a new route.

09 Type 0.0.0.0/0 in the Destination box then click inside the Target box and select the ID of the NAT gateway configured for the current Virtual Private Cloud (VPC).

10 Click Save to create the route and apply the changes to the route table. The new route matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the VPC’s NAT gateway.

11 Select Subnet Associations tab from the dashboard bottom panel and click Edit.

12 Choose your web, app and data tier private subnets by selecting the checkbox of each subnet that you want to associate with the route table created and configured at the previous steps.

13 Click Save to apply the changes. The new route table is now associated with your private subnets.

14 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 13 for other regions.

Using AWS CLI

01 Run create-route-table command (OSX/Linux/UNIX) to create the required route table for your web, app and data tier private subnets. The following command example creates a custom route table, inside an AWS VPC identified by the ID "vpc-1234abcd", available in the US East (N. Virginia) region:

aws ec2 create-route-table 
	--region us-east-1 
	--vpc-id vpc-1234abcd

02 The command output should return the new route table metadata:

{
    "RouteTable": {
        "Associations": [],
        "RouteTableId": "rtb-aabbccdd",
        "VpcId": "vpc-abcd1234",
        "PropagatingVgws": [],
        "Tags": [],
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ]
    }
}

03 Run create-route command (OSX/Linux/UNIX) using the ID of the newly created route table listed at the previous step as identifier to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the specified NAT gateway:

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-aabbccdd
	--destination-cidr-block 0.0.0.0/0
	--nat-gateway-id nat-01234567890abcabc

04 The command output should return true if the request succeeds, otherwise, it should return an error:

{
    "Return": true
}

05 Run associate-route-table command (OSX/Linux/UNIX) to associate the new route table with your web/app/data tier private subnets. The subnets and the route table must be in the same Virtual Private Cloud. The association causes traffic originating from the specified subnets to be routed according to the route defined at the previous steps. The route table can be associated with multiple subnets, hence you replace the --subnet-id parameter value and execute the command for each web/app/data private subnet available within the selected region:

aws ec2 associate-route-table
	--region us-east-1
	--route-table-id rtb-aabbccdd
	--subnet-id subnet-bbbbcccc

06 The command output should return the association ID:

{
    "AssociationId": "rtbassoc-1234abcd"
}

07 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 for other regions.

References

Publication date Apr 17, 2018