For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-ec2-instance-using-default-vpc.md. A documentation index is available at /llms.txt.

EC2 instance using default VPC

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-ec2-instance-using-default-vpc

Provider: AWS

Platform: Ansible

Severity: Low

Category: Networking and Firewall

Learn More

Description

Launching EC2 instances into a default VPC increases exposure because default VPCs often have permissive networking defaults that are not tailored with least-privilege network controls. This makes it harder to enforce isolation and audit access. In Ansible playbooks using the amazon.aws.ec2_instance or ec2_instance module, the vpc_subnet_id parameter must not reference a subnet that belongs to a default VPC. This rule flags EC2 tasks where vpc_subnet_id is templated to a registered amazon.aws.ec2_vpc_subnet/ec2_vpc_subnet and the corresponding subnet’s vpc_id contains the string “default”. Ensure subnets referenced by vpc_subnet_id are created in a non-default VPC (for example, vpc-0abc1234) rather than a value containing “default”.

Secure example with a subnet in a non-default VPC:

- name: create subnet in custom VPC
  amazon.aws.ec2_vpc_subnet:
    vpc_id: vpc-0abc1234
    cidr: 10.0.1.0/24
    state: present
  register: my_subnet

- name: launch instance in the custom subnet
  amazon.aws.ec2_instance:
    name: my-instance
    image_id: ami-0123456789abcdef0
    instance_type: t3.micro
    vpc_subnet_id: "{{ my_subnet.subnet.id }}"
    wait: true
    network:
      assign_public_ip: false

Compliant Code Examples

- name: Launch instance in subnet from custom VPC
  amazon.aws.ec2_instance:
    name: db-instance
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    wait: yes
    vpc_subnet_id: "{{ my_subnet2.subnet.id }}"
    network:
      assign_public_ip: false
- name: Create subnet for database server2
  amazon.aws.ec2_vpc_subnet:
    state: present
    vpc_id: "{{ myVPC.vpcs.0.id }}"
    cidr: 10.0.1.16/28
    tags:
      Name: Database Subnet
  register: my_subnet2

Non-Compliant Code Examples

- name: Launch instance in subnet from default VPC
  amazon.aws.ec2_instance:
    name: db-instance
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    wait: yes
    vpc_subnet_id: "{{ my_subnet.subnet.id }}"
    network:
      assign_public_ip: false
- name: Create subnet for database server
  amazon.aws.ec2_vpc_subnet:
    state: present
    vpc_id: "{{ defaultVPC.vpcs.0.id }}"
    cidr: 10.0.1.16/28
    tags:
      Name: Database Subnet
  register: my_subnet