VPCs without public subnet

Overview

The VPCs without Public Subnet insight identifies Virtual Private Clouds (VPCs) that do not contain any public subnets. This information is crucial for IT Operations (IT Ops) and Security Operations (Sec Ops) engineers to assess the accessibility, configuration, and security of their AWS network infrastructure.

Value to IT and Security Engineers

For IT Engineers:

• Infrastructure Accessibility: Helps identify VPCs that lack internet-facing resources, which may hinder application accessibility or integration with external systems.

• Troubleshooting Connectivity Issues: Assists in diagnosing network connectivity issues caused by the absence of public subnets for resources that require internet or external access.

• Network Design Optimization: Ensures that VPCs are appropriately designed for their intended use cases, whether for public-facing or private workloads.

For Security Engineers:

• Security Posture Validation: Ensures that VPCs without public subnets are intentionally configured to restrict external access, aligning with security best practices.

• Compliance Monitoring: Confirms that private workloads remain isolated and do not unintentionally expose resources to external networks.

• Threat Surface Reduction: Verifies that sensitive resources are not accessible from the internet due to misconfigurations, reducing potential attack vectors.

Key Use Cases

1. Ensuring Private Resource Isolation: Sec Ops engineers can verify that private resources in these VPCs remain isolated and protected from unauthorized external access.

2. Supporting Public-Facing Applications: IT Ops engineers can identify VPCs missing public subnets that may require them for hosting public-facing applications or APIs.

3. Network Architecture Review: Teams can assess whether the absence of public subnets aligns with the intended network design and operational requirements.

4. Compliance and Security Audits: Regular audits ensure VPC configurations comply with organizational policies that mandate specific subnet configurations.

Actionable Insights

• Evaluate VPC Purpose: Confirm that the absence of public subnets aligns with the intended design of the VPC, whether for isolated, private workloads or specific security requirements.

• Add Public Subnets if Needed: For VPCs requiring external access, create and configure public subnets with appropriate routing and security group rules.

• Review Routing Configurations: Verify that any added public subnets have route table configurations pointing to an internet gateway.

• Audit Security Group Rules: Ensure that security group rules attached to resources in these VPCs align with the restricted nature of private subnets or accommodate safe external access when public subnets are introduced.

Additional Recommendations

• Use AWS Config Rules: Set up rules to monitor and enforce subnet configurations for VPCs based on organizational policies.

• Leverage VPC Flow Logs: Enable flow logs to monitor network traffic patterns and verify that resources in private VPCs are not inadvertently exposed.

• Tag Resources Appropriately: Apply descriptive tags to VPCs and subnets to clearly indicate their role (e.g., "Public-Accessible" or "Private-Isolated") for better resource management and auditability.

By understanding and addressing VPCs without Public Subnet, IT Ops and Sec Ops engineers can ensure a balanced and secure network design that meets operational needs while minimizing security risks.