Amazon Web Services, on July 27th, 2017 released the ability for end users to be able to re-create their default VPC. Previously, if you deleted your default VPC your only option on having one re created for you was to open a support ticket with AWS.

Full details regarding the release can be found here: https://aws.amazon.com/about-aws/whats-new/2017/07/create-a-new-default-vpc-using-aws-console-or-cli/ 

And full VPC documentation, including programmatic examples can be found on this page: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html

 

A word of caution…

For customers that utilize policies to restrict the creation of VPC’s, we now have to update those policies to include one more action.

A sample vpc creation deny policy is shown below:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1507368536000",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVpc"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

While, this was enough to prevent your users from creating VPC’s in the past, we now need to add another action to the deny list “ec2:CreateDefaultVpc”

as of today, the iam policy updater has not yet been updated to include this action, nor was I able to find any details on AWS documentation sites.

I came across this issue coincidentally when a user asked me to delete a VPC because he was receiving an unauthorized message when trying to do so…having created the policy myself, I thought… “well how did you create the VPC in the first place?!!??” After discussing this with the user, following the July 27th, 2017 release the option is simply available when launching an ec2 instance. In the screenshot below, you will notice that you have two areas where one can create a new default VPC under the “Configure Instance Details” screen.

 

Even though the user may be denied when attempting to create a VPC, he/she will not be denied if they were to click on the “create a new default VPC” link and create a default VPC using the wizard. Furthermore, they would not be denied if they attempted this action programmatically, and/or through another service/console wizard.

In order to deny the VPC creation as well as the default VPC re-creation (after confirming with AWS) we must add the following action into our deny policy: “ec2:CreateDefaultVpc”

Thus our policy should now look like this:

 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1507374912000",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVpc",
                "ec2:CreateDefaultVpc"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The above policy will now block all VPC creation actions for any type of VPC.

Let me know if you have any questions. Thanks!