Ensure that a custom route table is created and associated with your VPC public subnets in order to control the routing for these subnets. A route table contains a set of rules (also known as routes) that are used to determine where network traffic is directed. The custom route table associated with public subnets should contain just the default route (i.e. 0.0.0.0/0) pointing to an Internet Gateway (IGW). A public subnet can only be associated with one route table at a time. This conformity rule assumes that all public subnets available within your VPC are tagged with <public_tier_tag><public_tier_tag_value>, where <public_tier_tag> represents the tag name and <public_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the public-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
To control the routing for your VPC public subnets you need to create custom route tables. Once these are created, all the subnets which should be public can be explicitly associated with the new route tables.
Note: Ensure that you replace all <public_tier_tag><public_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the public subnets.
Audit
To determine if the public subnets within your VPC are associated with custom route tables, perform the following actions:
Remediation / Resolution
To create a custom route table and associate it with your public subnets, perform the following actions:
References
- AWS Documentation
- What Is Amazon VPC?
- Working with VPCs and Subnets
- Route Tables
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-subnets
- describe-route-tables
- create-route-table
- create-route
- associate-route-table