Default vs Non-default VPCs

Overview

The Default vs Non-default VPCs insight provides a clear distinction between the default VPCs automatically created by AWS in each region and the custom non-default VPCs configured for specific use cases. This insight is essential for IT Operations (IT Ops) and Security Operations (Sec Ops) engineers to understand, manage, and secure their network infrastructure effectively.

Value to IT and Security Engineers

For IT Engineers:

• Infrastructure Clarity: Distinguishes default VPCs from custom VPCs, helping teams understand how their network is structured and avoid accidental usage of the default VPC.

• Resource Optimization: Identifies resources tied to default VPCs that may need to be migrated to custom VPCs for better network segmentation and control.

• Operational Efficiency: Provides insights into which VPCs align with organizational standards, ensuring optimal use of resources and infrastructure consistency.

For Security Engineers:

• Security Baseline Assessment: Highlights default VPCs, which may not be configured to meet strict security requirements, enabling teams to transition to more secure custom VPCs.

• Compliance Verification: Ensures non-default VPCs adhere to tagging, subnetting, and access control policies required for regulatory compliance.

• Risk Mitigation: Reduces the likelihood of security incidents by discouraging the use of default VPCs for production workloads due to their generic configurations.

Key Use Cases

1. Network Segmentation and Isolation: IT Ops can use this insight to ensure that production, development, and testing environments are isolated in custom VPCs, avoiding the risks associated with shared default VPCs.

2. Default VPC Cleanup: Sec Ops can identify and decommission unused or unnecessary default VPCs to minimize the attack surface and maintain a cleaner network layout.

3. Custom VPC Policy Enforcement: IT Ops and Sec Ops can verify that resources are deployed within custom VPCs configured with appropriate security controls, routing rules, and subnet policies.

4. Ensuring Compliance: Provides clarity on whether non-default VPCs are tagged and configured to meet organizational and regulatory compliance requirements.

Actionable Insights

• Audit VPC Usage: Regularly review the usage of default and non-default VPCs to ensure that resources are deployed in the appropriate environments.

• Enforce Standards: Implement policies that prevent production workloads from being deployed in default VPCs.

• Optimize Custom VPC Configurations: Validate that non-default VPCs are properly segmented with secure routing and subnet setups.

• Tagging and Metadata: Ensure both default and non-default VPCs have consistent tagging to facilitate better tracking and compliance.

Additional Recommendations

• Disable Default VPCs if Unused: To prevent accidental deployments in default VPCs, consider disabling them in regions where they are not needed.

• Leverage AWS Config: Use AWS Config rules to monitor and enforce compliance for VPC configurations, ensuring non-default VPCs meet required standards.

• Review IAM and Network Policies: Confirm that IAM roles and network ACLs are correctly configured to protect non-default VPCs from unauthorized access.

By providing a clear distinction between default and non-default VPCs, this insight empowers IT Ops and Sec Ops engineers to secure their AWS network infrastructure, optimize resource allocation, and maintain compliance with organizational standards.