Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Route Table for Public Subnets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that a custom route table is created and associated with your VPC public subnets in order to control the routing for these subnets. A route table contains a set of rules (also known as routes) that are used to determine where network traffic is directed. The custom route table associated with public subnets should contain just the default route (i.e. 0.0.0.0/0) pointing to an Internet Gateway (IGW). A public subnet can only be associated with one route table at a time. This conformity rule assumes that all public subnets available within your VPC are tagged with <public_tier_tag><public_tier_tag_value>, where <public_tier_tag> represents the tag name and <public_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the public-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

To control the routing for your VPC public subnets you need to create custom route tables. Once these are created, all the subnets which should be public can be explicitly associated with the new route tables.

Note: Ensure that you replace all <public_tier_tag><public_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the public subnets.


Audit

To determine if the public subnets within your VPC are associated with custom route tables, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Route Table for Public Subnets conformity rule settings and identify the tag set defined for all the subnets available in your public tier (e.g. <public_tier_tag><public_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Select the VPC subnet that you want to examine.

07 Select the Tags tab from the dashboard bottom panel.

08 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <public_tier_tag><public_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected VPC subnet is not a public subnet and the audit process ends here. If the tag sets match, the selected resource is a public subnet and the audit process continues with the next step.

09 Select the Summary tab from the dashboard bottom panel.

10 Click on the Route table configuration attribute value (link) to access the route table configured for the selected subnet.

11 Select the associated route table and choose the Routes tab from the dashboard bottom panel. Check the existing routes to determine if these contain the default route (i.e. the route with Destination set to 0.0.0.0/0) pointing to an AWS Internet Gateway (e.g. igw-12345678). If there is no such route available, the selected VPC public subnet is not currently associated with a custom route table.

12 Repeat steps no. 6 – 11 to check the other public subnets available within the selected VPC for custom route tables. If none of the verified VPC subnets are associated with a route table that has a route over the Internet Gateway (the destination is 0.0.0.0/0 and the target is the VPC’s Internet gateway), there is no custom route table created for your public subnets in the selected region.

13 Change the AWS region from the navigation bar and repeat steps no. 4 – 12 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Route Table for Public Subnets conformity rule settings and identify the tag set defined for all the subnets available in your public tier (e.g. <public_tier_tag><public_tier_tag_value>).

02 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the public subnets, available in the selected VPC, created within US East (N. Virginia) region:

aws ec2 describe-subnets
	--region us-east-1
	--filters Name=tag:<public_tier_tag>,Values=<public_tier_tag_value> Name=vpc-id,Values=vpc-abcd1234
	--query "Subnets[*].SubnetId" 

03 The command output should return the requested public-tier subnet IDs:

[
    "subnet-aaaabbbb",
    "subnet-bbbbcccc"
]

04 Run describe-route-tables command (OSX/Linux/UNIX) to describe the routes configured for the route tables associated with the public subnets returned at the previous step, available in the selected AWS region:

aws ec2 describe-route-tables
	--region us-east-1
	--filters Name=association.subnet-id,Values=subnet-aaaabbbb,subnet-bbbbcccc
	--query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

05 The command output should return the existing route(s) for the selected route table:

[
    {
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ],
        "RouteTableId": "rtb-1234abcd"
    }
]

Check the routes returned by the describe-subnets command output to determine if these contain a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "GatewayId" set to an AWS Internet Gateway (e.g. "igw-12345678"). If the command output does not describe such a route, there is no custom route table created for your public subnets in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 for other regions.

Remediation / Resolution

To create a custom route table and associate it with your public subnets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud where you want to deploy your new web-tier subnets from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Route Tables.

05 Click Create Route Table button from the dashboard top menu to initiate the table setup process.

06 Inside Create Route Table dialog box, provide a name for your route table in the Name tag box then select your VPC ID from VPC dropdown list. Once configured, click Yes, Create to create your custom route table.

07 Choose the newly created route table and select the Routes tab from the dashboard bottom panel.

08 On the Routes panel, choose Edit, then click Add another rule button add a new route.

09 Type 0.0.0.0/0 in the Destination box then click inside the Target box and select the ID of the Internet Gateway (IGW) configured for the current VPC.

10 Click Save to create the route and apply it to the route table. The new route matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the VPC’s Internet Gateway.

11 Select Subnet Associations tab from the dashboard bottom panel and click Edit.

12 Choose your public subnets by selecting the checkbox of each subnet that you want to associate with the route table created and configured earlier.

13 Click Save to apply the changes. The new route table is now associated with your VPC public subnets.

14 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 13 for other regions.

Using AWS CLI

01 Run create-route-table command (OSX/Linux/UNIX) to create the required route table for your public subnets. The following command example creates a custom route table, inside an AWS VPC identified by the ID "vpc-abcd1234", available in the US East (N. Virginia) region:

aws ec2 create-route-table 
	--region us-east-1 
	--vpc-id vpc-abcd1234

02 The command output should return the new route table metadata:

{
    "RouteTable": {
        "Associations": [],
        "RouteTableId": "rtb-abcdabcd",
        "VpcId": "vpc-abcd1234",
        "PropagatingVgws": [],
        "Tags": [],
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ]
    }
}

03 Run create-route command (OSX/Linux/UNIX) using the ID of the newly created route table listed at the previous step as identifier to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the specified Internet Gateway (IGW):

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-abcdabcd
	--destination-cidr-block 0.0.0.0/0
	--gateway-id igw-12345678

04 The command output should return true if the request succeeds, otherwise, it should return an error:

{
    "Return": true
}

05 Run associate-route-table command (OSX/Linux/UNIX) to associate the new route table with your VPC public subnets. The subnets and the route table must be in the same VPC. The association causes traffic originating from the specified subnets to be routed according to the route defined at the previous steps. The route table can be associated with multiple subnets, therefore replace the --subnet-id parameter value and execute the command for each public subnet available within the selected region:

aws ec2 associate-route-table
	--region us-east-1
	--route-table-id rtb-abcdabcd
	--subnet-id subnet-aaaabbbb

06 The command output should return the association ID:

{
    "AssociationId": "rtbassoc-aabbccdd"
}

07 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 for other regions.

References

Publication date Apr 17, 2018