Skip to main content

New VPC

This alert occurs when Lacework detects the creation of a new VPC.

Why this Alert is Important

Creation of a new VPC by an unauthorized person can lead to loss of integrity and provide anyone access to the VPC. Attackers can use this VPC to carry out malicious activities and misuse the infrastructure for their own benefit.

Investigation

Audit the creation of a new VPC by any individual. Examine the audit logs to see the activities that were carried out in this VPC. Investigate and analyze the access policy to determine who has access to this VPC.

Resolution

If this was an unauthorized creation of a new VPC, audit and delete the VPC. Institute a policy to follow security best practices whenever a new VPC is created. Best practices include isolating the VPC environments from others, choosing a CIDR IP block for the VPC that does not overlap with others, and having other security mechanisms to prevent unauthorized access.

https://attack.mitre.org/tactics/TA0001/

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html