Instance with no VPC

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Instance with no VPC

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 61d1a2d0-4db8-405a-913d-5d2ce49dff6f

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

EC2 instances must be launched into a VPC subnet so they are subject to VPC network controls such as security groups, network ACLs, private addressing, and VPC flow logs. Without a subnet assignment, instances can lack network isolation and be exposed to the public network or miss critical network monitoring.

For Ansible EC2 modules (amazon.aws.ec2_instance, ec2_instance), the vpc_subnet_id property must be defined and set to a valid VPC subnet ID. Tasks with state equal to absent or list are ignored. Resources missing vpc_subnet_id or with it undefined are flagged.

Secure example Ansible task:

- name: Launch EC2 instance in VPC subnet
  amazon.aws.ec2_instance:
    name: my-instance
    image_id: ami-0123456789abcdef0
    instance_type: t3.micro
    vpc_subnet_id: subnet-0abc1234def567890
    security_groups:
      - sg-0a1b2c3d4e5f6g7h

Compliant Code Examples

- name: Start an instance and have it begin a Tower callback on boot v3
  amazon.aws.ec2_instance:
    name: tower-callback-test
    key_name: prod-ssh-key
    vpc_subnet_id: subnet-5ca1ab1e
    security_group: default
    tower_callback:
      # IP or hostname of tower server
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: A value
- name: Start an instance and have it begin a Tower callback on boot v4
  amazon.aws.ec2_instance:
    name: my-ec2-instance
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245

Non-Compliant Code Examples

- name: Start an instance and have it begin a Tower callback on boot
  amazon.aws.ec2_instance:
    name: "tower-callback-test"
    key_name: "prod-ssh-key"
    security_group: default
    tower_callback:
      # IP or hostname of tower server
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: "A value"
- name: Start an instance and have it begin a Tower callback on boot v2
  amazon.aws.ec2_instance:
    name: my-ec2-instance
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456