Checks whether the network type of each Elastic Compute Service (ECS) instance is set to VPC when you do not specify the vpcIds parameter, and checks whether the virtual private cloud (VPC) in which each ECS instance resides matches the specified setting when you specify the vpcIds parameter.
Scenarios
We recommend that you create an ECS instance that is deployed in a VPC to isolate the network and ensure network security in the cloud.
Risk level
Default risk level: medium.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which each ECS instance resides matches the specified setting. If yes, the evaluation result is compliant.
- If you do not specify the vpcIds parameter, the system checks whether the network type of each ECS instance is set to classic network. If yes, the evaluation result is non-compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which each ECS instance resides matches the specified setting. If no, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-instances-in-vpc |
| Rule ID | ecs-instances-in-vpc |
| Tag | ECS and VPC |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS instance |
| Input parameter | vpcIdsNote Separate multiple VPC IDs with commas (,).
|
Non-compliance remediation
For more information about how to deploy an ECS instance in a VPC, see Change the VPC of an ECS instance.