6.5 Ensure subnets for the Web tier ELB are created

Information

You can create a VPC that spans multiple Availability Zones. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. AWS assigns a unique ID to each subnet.

When you create a subnet, you specify the CIDR block for the subnet. The CIDR block of a subnet shouldn't be the same as the CIDR block for the VPC (for a single subnet in the VPC). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets must not overlap.

Some AWS regions have more than 2 availability zones and it is recommended to use more than 2 where possible.
At least 2 subnets in 2 different availability zones (AZ) should be created in order to have fault tolerance and high availability from the perspective of resource deployment.

Solution

Using the Amazon unified command line interface:

* Create subnets for Web tier ELB, and note the subnet id:

aws ec2 create-subnet --vpc-id <application_vpc> --cidr-block <desired_cidr>

* Tag the above subnets with the Web tier ELB tags:

aws ec2 create-tags --resources <web_tier_elb_subnet1> <web_tier_elb_subnet2> --tags Key=<public_tier_tag>,Value=<public_tier_tag_value>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(22)

Plugin: amazon_aws

Control ID: d2202c564046e629253ac7221c439c18efe923a814f00aa8a388d639942ca9d3