This rule focuses on ensuring EC2 instances do not expose public IP addresses.
Rule | EC2 instances should not have a public IP address |
Framework | FedRAMP Low Revision 4 |
Severity | ✔ High |
EC2 Instances Compliance with FedRAMP Low Revision 4
Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4 sets specific standards for cloud services used by federal agencies. One such standard requires that Amazon EC2 instances do not have public IP addresses to reduce direct exposure to the internet and mitigate the risk of cyber attacks. Ensuring compliance with this requirement involves the following steps:
Rule Description
Amazon EC2 instances should be configured without public IP addresses to meet the FedRAMP Low impact level requirements. Public IP addresses allow for direct access to the instances from the internet, which can potentially increase vulnerability to security threats. By only using private IP addresses and routing traffic through secure, controlled points, such as a NAT gateway or a load balancer within a Virtual Private Cloud (VPC), organizations can maintain a higher security standard.
Troubleshooting Steps
If an EC2 instance is found to have a public IP address, the following steps should be taken to remediate the issue:
1. Identify Instances with Public IP Addresses
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId,PublicIpAddress]" --output text
This AWS CLI command lists all instances along with their associated public IP addresses, if they have one.
2. Verify Network Configuration
Check the subnet and network interface configurations to ensure that the instance is not set to automatically receive a public IP address upon launch.
3. Modify the Instance Configuration
4. Use NAT Gateway or Load Balancer for Internet Access
Configure a NAT Gateway or a Load Balancer to route traffic from instances in private subnets which enables outbound internet access without assigning public IPs to these instances.
Remediation Steps
Disassociate Public IP
To remove a public IP from an EC2 instance, the instance must be stopped and restarted or terminated. If the address is an Elastic IP, disassociate it using the following command:
aws ec2 disassociate-address --association-id eipassoc-1234567890abcdef0
Replace
eipassoc-1234567890abcdef0
with the actual association ID of the Elastic IP.Change Subnet Settings
If the instance is set to automatically assign a public IP, this feature must be turned off:
aws ec2 modify-subnet-attribute --subnet-id subnet-1a2b3c4d --no-map-public-ip-on-launch
Replace
subnet-1a2b3c4d
with the relevant subnet ID.Launch New Instances Without Public IPs
In cases where EC2 instances were incorrectly set up with public IP addresses, new instances may need to be launched without an auto-assigned public IP:
aws ec2 run-instances --image-id ami-12345678 --count 1 --instance-type t2.micro --subnet-id subnet-1a2b3c4d --no-associate-public-ip-address
Adjust
ami-12345678
, t2.micro
, and subnet-1a2b3c4d
with appropriate values for your needs.Final Notes
All steps and commands provided should adhere to AWS practices and be executed carefully to avoid service disruption. It is also important to regularly audit EC2 instance configurations to maintain their compliance with FedRAMP Low Revision 4 standards. By being diligent with these practices, an organization can significantly reduce its cloud infrastructure's exposure to security threats.