If no virtual private cloud (VPC) IDs are specified and the Elastic Compute Service (ECS) instance resides in a VPC, the evaluation result is Compliant. If VPC IDs are specified and the ECS instance resides in one of the specified VPCs, the evaluation result is Compliant.
Scenarios
We recommend that you create an ECS instance that is deployed in a VPC to isolate the network and ensure network security in the cloud.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If no VPC IDs are specified and the ECS instance resides in a VPC, the evaluation result is Compliant. If VPC IDs are specified and the ECS instance resides in one of the specified VPCs, the evaluation result is Compliant.
- If no VPC IDs are specified and the ECS instance does not reside in a VPC, the evaluation result is Incompliant. If VPC IDs are specified and the ECS instance does not reside in one of the specified VPCs, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see the "Incompliance remediation" section of this topic.
- For ECS instances that are not in the running state, the result is always Incompliant.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-running-instances-in-vpc |
| Rule identifier | ecs-running-instances-in-vpc |
| Tag | ECS and VPC |
| Automatic remediation | Supported |
| Trigger type | Configuration change |
| Supported resource type | ECS instances |
| Input parameter | vpcIds
Note Separate multiple VPC IDs with commas (,).
|
Incompliance remediation
Make sure that your ECS instances reside in VPCs or change the VPCs in which the ECS instances reside. For more information, see Change the VPC of an ECS instance.