For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-instance-with-no-vpc.md. A documentation index is available at /llms.txt.

Instance with no VPC

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-instance-with-no-vpc

Provider: AWS

Platform: Ansible

Severity: Low

Category: Insecure Configurations

Learn More

Description

EC2 instances must be launched into a VPC subnet so they are subject to VPC network controls such as security groups, network ACLs, private addressing, and VPC flow logs. Without a subnet assignment, instances can lack network isolation and be exposed to the public network or miss critical network monitoring.

For Ansible EC2 modules (amazon.aws.ec2_instance, ec2_instance), the vpc_subnet_id property must be defined and set to a valid VPC subnet ID. Tasks with state equal to absent or list are ignored. Resources missing vpc_subnet_id or with it undefined are flagged.

Secure example Ansible task:

- name: Launch EC2 instance in VPC subnet
  amazon.aws.ec2_instance:
    name: my-instance
    image_id: ami-0123456789abcdef0
    instance_type: t3.micro
    vpc_subnet_id: subnet-0abc1234def567890
    security_groups:
      - sg-0a1b2c3d4e5f6g7h

Compliant Code Examples

- name: Start an instance and have it begin a Tower callback on boot v3
  amazon.aws.ec2_instance:
    name: tower-callback-test
    key_name: prod-ssh-key
    vpc_subnet_id: subnet-5ca1ab1e
    security_group: default
    tower_callback:
      # IP or hostname of tower server
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: A value
- name: Start an instance and have it begin a Tower callback on boot v4
  amazon.aws.ec2:
    key_name: mykey
    instance_type: t2.micro
    image: ami-123456
    wait: yes
    group: webserver
    count: 3
    vpc_subnet_id: subnet-29e63245
    assign_public_ip: yes

Non-Compliant Code Examples

- name: Start an instance and have it begin a Tower callback on boot
  amazon.aws.ec2_instance:
    name: "tower-callback-test"
    key_name: "prod-ssh-key"
    security_group: default
    tower_callback:
      tower_address: 1.2.3.4
      job_template_id: 876
      host_config_key: '[secret config key goes here]'
    network:
      assign_public_ip: true
    image_id: ami-123456
    cpu_credit_specification: unlimited
    tags:
      SomeThing: "A value"