VPCs are assessed for subnets spread across multiple Availability Zones. The finding distinguishes VPCs with subnets confined to a single AZ or with no subnets from those with subnets in 2+ distinct AZs.
Risk
Single-AZ subnet layouts create a single point of failure, leading to service downtime during AZ outages, maintenance, or capacity events. Lack of zonal redundancy constrains load balancing and egress design, reduces fault isolation, and undermines availability and recovery objectives.
prowler aws --checks vpc_subnet_different_az
Recommendation
Distribute subnets across 2+ Availability Zones and deploy workloads in separate AZs for high availability. Mirror network tiers per AZ, align routing and egress per AZ, and enforce multi-AZ layouts with IaC and policy guardrails. Regularly test failover to validate resilience.
Remediation
- In the AWS Console, go to VPC > Subnets
- Click Create subnet
- Select the target VPC (<example_resource_id>)
- Add two subnets with non-overlapping CIDRs in different Availability Zones (e.g., <example_az_1> and <example_az_2>)
- Click Create subnet to save
Source Code
Resource Type
AwsEc2Subnet