For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-vpc-without-attached-subnet.md. A documentation index is available at /llms.txt.

VPC without attached subnet

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-vpc-without-attached-subnet

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Resource Management

Learn More

Description

VPCs without any attached subnets can indicate unused or orphaned networks that increase the attack surface and hinder enforcement of network segmentation and security controls.

In CloudFormation, every AWS::EC2::VPC resource should be referenced by at least one AWS::EC2::Subnet via the subnet’s Properties.VpcId (for example, a Ref to the VPC logical ID). This rule flags AWS::EC2::VPC resources defined in the same template that have no AWS::EC2::Subnet resources referencing them. If subnets are created in another stack or outside the template, include the subnet resources in the same template or ensure the VPC/subnet relationship is expressed in CloudFormation to avoid false positives.

Secure configuration example:

MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16
    EnableDnsSupport: true
    EnableDnsHostnames: true

MySubnet:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref MyVPC
    CidrBlock: 10.0.1.0/24
    AvailabilityZone: us-east-1a

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC_2:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    mySubnet:
      Type: AWS::EC2::Subnet
      Properties:
        VpcId:
            Ref: myVPC_2
        CidrBlock: 10.0.0.0/24
        AvailabilityZone: "us-east-1a"

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myVPC_2": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false",
        "EnableDnsHostnames": "false",
        "InstanceTenancy": "dedicated"
      }
    },
    "mySubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "CidrBlock": "10.0.0.0/24",
        "AvailabilityZone": "us-east-1a"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC_1:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myVPC_1": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "InstanceTenancy": "dedicated",
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false",
        "EnableDnsHostnames": "false"
      }
    }
  }
}