Exposure Scanner Scan My Account
Exposure Scanner / Amazon VPC

VPC Network Exposure

Does your VPC configuration allow unintended internet access?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
vpc-0a1b2c3d4e5f6a7b8
Private subnet route table has a route to internet gateway igw-0f1e2d3c allowing direct internet access
High
vpc-09d8c7b6a5e4f3d2
Default network ACL allows all inbound traffic on all ports from 0.0.0.0/0
Medium
vpc-01a2b3c4d5e6f7a8
VPC flow logs are not enabled - network traffic is not being monitored

What does Amazon VPC public exposure mean?

VPC exposure occurs at the network layer - internet gateways, NAT configurations, route tables, and network ACLs that collectively determine what can reach your resources from the internet and what your resources can reach.

Why it matters

The VPC is your network perimeter. Misconfigurations here affect every resource inside it. An overly permissive VPC is the foundation for all other types of public exposure.

How to check manually

  1. 1Review route tables for routes to internet gateways from private subnets
  2. 2Check network ACLs for overly permissive inbound rules
  3. 3Verify VPC flow logs are enabled for monitoring
  4. 4Review VPC peering connections and transit gateway attachments

Quick check with AWS CLI

Find VPCs with internet gateways attached
aws ec2 describe-internet-gateways --query "InternetGateways[].{IGW:InternetGatewayId,VPC:Attachments[0].VpcId}"
Check route tables for public routes in private subnets
aws ec2 describe-route-tables --query "RouteTables[].{Id:RouteTableId,Routes:Routes[?GatewayId!='local'].{Dest:DestinationCidrBlock,Target:GatewayId}}"
Find subnets with auto-assign public IP enabled
aws ec2 describe-subnets --query "Subnets[?MapPublicIpOnLaunch==`true`].{SubnetId:SubnetId,VpcId:VpcId,CIDR:CidrBlock}"

Common misconfigurations

Private subnets with routes to an internet gateway
Default network ACL allowing all inbound traffic
VPC peering with overly broad route table entries
Missing VPC flow logs for security monitoring

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon EC2
Are your EC2 instances accessible from the internet through open security groups?
Amazon RDS
Are your RDS databases publicly accessible from the internet?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?