Skip to main content

VPC Change

This alert occurs when Lacework detects a VPC configuration change.

Why this Alert is Important

Modification of a VPC configuration by an unauthorized person can lead to loss of integrity and provide anyone access to the VPC. Attackers can use this VPC to carry out malicious activities and misuse the infrastructure for their own benefit.

Investigation

Audit the modification of a VPC by any individual. Examine the audit logs to see the activities that were carried out in this VPC. Investigate and analyze the access policy to determine who has access to this VPC.

Resolution

If this was an unauthorized modification of a VPC, audit and delete the changes made to the VPC. Institute a policy to follow security best practices whenever a new VPC is created. Best practices include isolating the VPC environments from others, choosing a CIDR IP block for the VPC that does not overlap with others, and having other security mechanisms to prevent unauthorized access.

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html