Best practice rules for Amazon Virtual Private Cloud (VPC)
AWS Virtual Private Cloud (VPC) provides you with an isolated section within the AWS cloud to launch resources in a virtual network tailored to your organization. Implementing a VPC provides you with complete control of your virtual network, including configuration of network gateways and route tables, and the ability to select your IP range. Using a virtual private cloud adds another layer of security for your infrastructure, for example, by defining which resources within your AWS account have access to the internet.
- AWS VPC Peering Connections Route Tables Access
Ensure that the Amazon VPC peering connection configuration is compliant with the desired routing policy.
- AWS VPN Tunnel State
Ensure the state of your AWS Virtual Private Network (VPN) tunnels is UP
- Allocate Elastic IPs for NAT Gateways
Ensure Elastic IPs for NAT gateways are allocated.
- Create App-Tier VPC Subnets
Ensure subnets for the app tier are created.
- Create Data-Tier VPC Subnets
Ensure subnets for the data tier are created.
- Create NAT Gateways in at Least Two Availability Zones
Ensure NAT gateways are created in at least two Availability Zones.
- Create Route Table for Private Subnets
Ensure a route table for the private subnets is created.
- Create Route Table for Public Subnets
Ensure a route table for the public subnets is created.
- Create Web-Tier ELB Subnets
Ensure subnets for the web-tier ELBs are created.
- Create Web-Tier VPC Subnets
Ensure subnets for the web tier are created.
- Default VPC in Use
Ensure that the default Virtual Private Cloud (VPC) is not being used.
- Enable Flow Logs for VPC Subnets
Ensure that the Flow Logs feature is enabled for your Amazon VPC subnets.
- Ineffective Network ACL DENY Rules
Ensure that Amazon Network ACL DENY rules are effective within the VPC configuration.
- Managed NAT Gateway in Use
Ensure that the Managed NAT Gateway service is enabled for high availability (HA).
- Specific Gateway Attached To Specific VPC
Ensure that a specific Internet/NAT gateway is attached to a specific VPC.
- Unrestricted Inbound Traffic on Remote Server Administration Ports
Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389.
- Unrestricted Network ACL Inbound Traffic
Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports.
- Unrestricted Network ACL Outbound Traffic
Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports.
- Unused VPC Internet Gateways
Ensure unused VPC Internet Gateways and Egress-Only Internet Gateways are removed to follow best practices.
- Unused Virtual Private Gateways
Ensure unused Virtual Private Gateways (VGWs) are removed to follow best practices.
- VPC Endpoint Cross Account Access
Ensure Amazon VPC endpoints don't allow unknown cross account access.
- VPC Endpoint Exposed
Ensure Amazon VPC endpoints aren't exposed to everyone.
- VPC Endpoints In Use
Ensure that VPC endpoints are being used to connect your VPC to another AWS cloud service.
- VPC Flow Logs Enabled
Ensure VPC flow logging is enabled in all VPCs.
- VPC Naming Conventions
Follow proper naming conventions for Virtual Private Clouds.
- VPC Peering Connections To Accounts Outside AWS Organization
Ensure VPC peering communication is only between AWS accounts, members of the same AWS Organization.
- VPC Traffic Mirroring in Use
Ensure that the VPC Traffic Mirroring feature is used for your VPC networks.
- VPN Tunnel Redundancy
Ensure AWS VPNs have always two tunnels active in order to enable redundancy.