For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-ec2-instance-using-default-vpc.md. A documentation index is available at /llms.txt.

EC2 instance using default VPC

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-ec2-instance-using-default-vpc

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Networking and Firewall

Learn More

Description

EC2 instances placed in a default VPC are more likely to be publicly reachable and lack explicit network segmentation, increasing the risk of unintended exposure and lateral movement. This rule checks AWS::EC2::Instance resources and ensures Properties.SubnetId does not reference a subnet that is associated with a default VPC. Instances are flagged when their SubnetId references an AWS::EC2::Subnet whose Properties.VpcId resolves to a value or Ref name containing default. Use an explicit non-default VPC and private subnets. For example, reference a subnet in your own VPC:

MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16

MySubnet:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref MyVPC
    CidrBlock: 10.0.1.0/24

MyInstance:
  Type: AWS::EC2::Instance
  Properties:
    SubnetId: !Ref MySubnet

Compliant Code Examples

Resources:
  DefaultVPC:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      SubnetId: !Ref PublicSubnetA22
  PublicSubnetA22:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.1.10.0/24
      AvailabilityZone: !Select [ 0, !GetAZs ]    # Obtenha o primeiro AZ na lista
      Tags:
          - Key: Name
            Value: !Sub ${AWS::StackName}-Public-A

{
  "Resources": {
    "DefaultVPC": {
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "SubnetId": "PublicSubnetA22"
      },
      "Type": "AWS::EC2::Instance"
    },
    "PublicSubnetA22": {
      "Properties": {
        "AvailabilityZone": [
          0,
          ""
        ],
        "CidrBlock": "10.1.10.0/24",
        "Tags": [
          {
            "Key": "Name",
            "Value": "${AWS::StackName}-Public-A"
          }
        ],
        "VpcId": "VPC"
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}

Non-Compliant Code Examples

Resources:
  DefaultVPC:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      SubnetId: !Ref PublicSubnetA2
  PublicSubnetA2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref DefaultVPC
      CidrBlock: 10.1.10.0/24
      AvailabilityZone: !Select [ 0, !GetAZs ]    # Obtenha o primeiro AZ na lista
      Tags:
          - Key: Name
            Value: !Sub ${AWS::StackName}-Public-A

{
  "Resources": {
    "DefaultVPC": {
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "SubnetId": "PublicSubnetA2"
      },
      "Type": "AWS::EC2::Instance"
    },
    "PublicSubnetA2": {
      "Properties": {
        "AvailabilityZone": [
          0,
          ""
        ],
        "CidrBlock": "10.1.10.0/24",
        "Tags": [
          {
            "Key": "Name",
            "Value": "${AWS::StackName}-Public-A"
          }
        ],
        "VpcId": "DefaultVPC"
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}