MEDIUM VPC · CIS 5.3

Default VPC usage

Check ID: aws-vpc-001

AWS-VPC-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the default VPC has active resources (network interfaces). Default VPCs have overly permissive networking defaults.

Why it matters

Default VPCs are created with public subnets, a permissive default security group that allows all outbound and all inbound from itself, and an internet gateway pre-attached. Resources launched in a default VPC are often unintentionally internet-facing. The AWS Well-Architected Framework explicitly recommends against using default VPCs for production workloads. In 2022, Unit 42 researchers found that 72% of misconfigured cloud resources were deployed in default VPCs because developers chose the path of least resistance. Custom VPCs give you control over CIDR ranges, subnet design, routing, and network segmentation. If you are not using the default VPC, delete it or ensure no active resources (network interfaces) exist within it.

Common causes

Default VPCs get used because the AWS Console pre-selects them when launching EC2 instances, RDS databases, and other resources. Engineers doing quick prototyping or following tutorials choose the default VPC to avoid the overhead of creating custom networking. Once production workloads land in the default VPC, migrating them to a custom VPC requires downtime and careful network reconfiguration that teams keep deferring.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Migrate resources to a custom VPC, then:
aws ec2 delete-default-vpc --region REGION
# Note: Default VPC can be recreated with:
aws ec2 create-default-vpc --region REGION

Remediation: Terraform

resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
}

Compliance mapping

This check maps to CIS 5.3 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Network Firewall vs Palo Alto VM-Series →

Related VPC checks

CRITICAL aws-vpc-002

Open security groups

MEDIUM aws-vpc-003

VPC flow logs

MEDIUM aws-vpc-004

Unrestricted NACL

← All checks