AWSOverview
If you created your AWS account before December 4, 2013, you might have support for EC2-Classic in some AWS Regions. Some Amazon EC2 resources and features, such as enhanced networking and newer instance types, require a virtual private cloud (VPC).
AWS and we recommend that you migrate to a VPC to take advantage of VPC-only features.
Remediation guidance
AWS remediation
Instances should run in VPC-based networking.
Console
- Create/select VPC and subnets.
- Launch replacement instances in VPC.
- Cut over traffic and retire legacy configuration.
AWS CLI
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type <instance-type> \
--subnet-id <subnet-id> \
--security-group-ids <sg-id>
References
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-migrate.html
- https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
EC2 Instances are deployed in a VPC
Connectors
Covered asset types
Expected check: eq []
{vms(where:{OR:[{vpcID:null},{vpcID:""}]}){...AssetFragment}}
