Rule: EC2 Instances Should Not Have a Public IP Address
This rule ensures that EC2 instances do not have a public IP address for enhanced security.
| Rule | EC2 instances should not have a public IP address |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
This rule is a part of the AWS Foundational Security Best Practices and aims to enforce the best practice of not allowing EC2 instances to have a public IP address. It is crucial to restrict public access to EC2 instances to minimize the attack surface.
Impact of Not Following the Rule
If this rule is not followed and EC2 instances have public IP addresses, it increases the exposure of the instances to potential security threats. Publicly accessible instances are more susceptible to unauthorized access, data breaches, and potential attacks by malicious actors. Therefore, it is essential to adhere to this rule to ensure the security of your EC2 infrastructure.
Troubleshooting Steps (if applicable)
Troubleshooting steps may vary depending on the specific use case and configuration. However, if an EC2 instance should not have a public IP address but currently has one assigned, here are some steps to troubleshoot the issue:
- 1.
Verify the assigned public IP: Check the EC2 instance details in the AWS Management Console or use the AWS Command Line Interface (CLI) to ensure that a public IP address is indeed assigned to the instance.
aws ec2 describe-instances --instance-ids <instance-id> - 2.
Check the VPC configuration: Verify the VPC (Virtual Private Cloud) configuration associated with the instance. Ensure that the instance is not placed in a public subnet or does not have an Internet Gateway attached, as these are prerequisites for assigning a public IP address.
aws ec2 describe-subnets --subnet-ids <subnet-id> aws ec2 describe-internet-gateways --internet-gateway-ids <internet-gateway-id> - 3.
Validate the routing: Confirm that the routing configuration for the subnet associated with the instance does not allow the traffic to flow through an Internet Gateway. Ensure that the default route points to a NAT Gateway or VPC Endpoint, restricting the outbound traffic to private networks only.
aws ec2 describe-route-tables --route-table-ids <route-table-id> - 4.
Double-check security group rules: Ensure that the attached security group(s) do not allow inbound traffic from the internet unless specifically needed. Review the security group rules and remove any unnecessary rules that could potentially expose the instance.
aws ec2 describe-security-groups --group-ids <security-group-id> - 5.
Revert public IP assignment: If the instance has a public IP address but shouldn't, remove the public IP address from the instance. This can be done by modifying the instance's Elastic Network Interface (ENI) settings.
aws ec2 modify-instance-attribute --instance-id <instance-id> --no-source-dest-check
Remediation Steps
To remediate the issue and ensure that EC2 instances do not have public IP addresses, follow these steps:
- 1.
Identify instances with public IP addresses: Use the AWS Management Console or CLI to identify the instances that currently have public IP addresses assigned.
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=ip-address,Values=[!null]" - 2.
Remove public IP assignment during instance launch: For new instances that are launched, ensure that the "Auto-assign Public IP" option is disabled during the launch configuration process.
- 3.
Modify existing instance settings: For existing instances that have public IP addresses, modify the instance settings to remove the public IP assignment. This can be done by modifying the instance's Elastic Network Interface (ENI) settings.
aws ec2 modify-instance-attribute --instance-id <instance-id> --no-source-dest-check - 4.
Validate the configuration: Double-check the instance details to ensure that the public IP address is successfully removed.
aws ec2 describe-instances --instance-ids <instance-id>
By following these steps, you can remediate the issue and enforce the best practice of not allowing EC2 instances to have public IP addresses, improving the security posture of your AWS infrastructure.