Rule: EC2 Instances Should Not Have a Public IP Address
This rule specifies that EC2 instances should not be assigned a public IP address.
| Rule | EC2 instances should not have a public IP address |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule/Policy Description:
According to the FedRAMP Moderate Revision 4 guidelines, it is stated that EC2 instances should not have a public IP address. This policy aims to ensure the security and privacy of sensitive data by limiting direct public access to EC2 instances.
Troubleshooting Steps:
If an EC2 instance has a public IP address, it is important to address this issue and remove the public IP to comply with the policy. Here are the troubleshooting steps:
- 1.
Identify the EC2 instances with public IP addresses: Using the AWS Management Console or command-line interface (CLI), identify the EC2 instances that have public IPs assigned to them.
- 2.
Determine the necessity of a public IP address: Check the purpose, functionality, and requirements of each EC2 instance. Determine if the public IP address is truly necessary for the operation of the instance.
- 3.
Modify Security Group rules: If the instance does not require a public IP, update the associated Security Group rules to restrict incoming traffic to only allow desired sources (e.g., internal network, specific IP addresses, etc.).
- 4.
Remove public IP address: Remove the public IP address from the EC2 instance. This can be done either by releasing the Elastic IP associated with the instance or by modifying the instance's network settings to remove the public IP assignment.
- 5.
Verify connectivity: After removing the public IP, make sure to test the connectivity and ensure that the necessary network access is still available through private IP addresses or internal network configurations.
Necessary Codes:
In order to remove the public IP address from an EC2 instance, you may use the AWS CLI and the following commands:
- 1.
To disassociate an Elastic IP from an EC2 instance:
aws ec2 disassociate-address --public-ip <Elastic_IP> - 2.
To modify the instance network settings and remove the public IP:
aws ec2 modify-instance-attribute --instance-id <Instance_ID> --no-associate-public-ip-address
Step-by-Step Guide for Remediation:
Follow these step-by-step instructions to remediate the EC2 instance and comply with the policy:
- 1.
Login to the AWS Management Console or connect to the AWS CLI using your credentials.
- 2.
Identify the EC2 instance(s) with public IP addresses that need modification.
- 3.
Assess the requirement of a public IP address for each EC2 instance. Determine if it is truly necessary for its functionality.
- 4.
If the public IP address is not required, proceed with modifying the instance's network settings.
- 5.
Open the AWS CLI and execute the appropriate command to remove the public IP address:
If an Elastic IP is associated with the instance, use the command:
aws ec2 disassociate-address --public-ip <Elastic_IP>If the instance is using an automatically assigned public IP, use the command:
aws ec2 modify-instance-attribute --instance-id <Instance_ID> --no-associate-public-ip-address
- 6.
Once the command execution is successful, check the EC2 instance's network configuration to ensure that the public IP address has been removed.
- 7.
Test the connectivity and functionality of the EC2 instance using its private IP address or internal network configurations.
- 8.
If necessary, update the associated Security Group rules to allow the required inbound traffic from trusted sources while blocking public access.
- 9.
Document the changes made and update any relevant documentation or configuration management systems.
By following these steps, you can comply with the FedRAMP Moderate Revision 4 guidelines and ensure that EC2 instances do not have public IP addresses.