Rule: EC2 Instances Should Not Have a Public IP Address
This rule states that EC2 instances should not be assigned a public IP address to enhance security.
| Rule | EC2 instances should not have a public IP address |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description
The rule states that EC2 instances should not have a public IP address according to the FedRAMP Moderate Revision 4 security compliance requirements. This rule aims to enforce network segmentation and minimize potential attack surfaces.
Public IP addresses allow direct access to EC2 instances from the internet, increasing the risk of unauthorized access and potential security breaches. By disabling public IP addresses, the instances are only accessible within the private network or via a secure bastion host or VPN.
Troubleshooting Steps
If an EC2 instance has a public IP address, additional steps need to be taken to ensure compliance with the rule. The following troubleshooting steps can be followed:
- 1.
Identify the EC2 instance: Determine the EC2 instance that has a public IP address assigned.
- 2.
Review network configuration: Inspect the security groups and network ACLs associated with the EC2 instance. Check if inbound rules allow direct access from the internet.
- 3.
Verify route table settings: Ensure that the route table associated with the subnet does not have an internet gateway entry, which is required for public IP addresses.
- 4.
Check instance launch configuration: Ensure that when launching new EC2 instances, the option to assign a public IP address is disabled.
Remediation Steps
To remediate an EC2 instance with a public IP address, you need to follow these steps:
- 1.
Connect to the AWS Management Console: Log in to the AWS Management Console using appropriate credentials.
- 2.
Identify the EC2 instance: Determine the instance ID or name of the EC2 instance that requires changes.
- 3.
Modify the EC2 instance: In the EC2 service dashboard, locate the specified EC2 instance.
- 4.
Disable the public IP address: Right-click on the EC2 instance and select "Networking" > "Manage IP Addresses." Remove the public IP address assignment or choose "None" for the Public IP address value.
- 5.
Update security groups: Make sure the security groups associated with the EC2 instance only allow necessary inbound and outbound traffic.
- 6.
Validate the changes: Verify that the EC2 instance no longer has a public IP address assigned.
- 7.
Repeat for other affected instances: If there are multiple instances with public IP addresses, repeat the above steps for each instance.
Additional Notes
It's important to review the networking requirements of your applications before disabling public IP addresses. Ensure that there are alternative methods for remote access, such as using a secure bastion host or setting up a VPN connection.
When launching new EC2 instances, always double-check the configuration to ensure that public IP addresses are disabled by default.
Regularly audit and monitor your EC2 instances to identify any instances with public IP addresses and take appropriate actions to rectify the configuration.
Automate the monitoring and enforcement of this rule using AWS Config rules, AWS CloudFormation templates, or infrastructure-as-code tools such as AWS CloudFormation or AWS Terraform. This helps maintain the desired compliance state across your infrastructure.
Conclusion
Following the rule to remove public IP addresses from EC2 instances helps improve the security profile of your AWS environment, particularly in alignment with the FedRAMP Moderate Revision 4 requirements. By minimizing the attack surface and enforcing network segmentation, you increase the overall security posture and reduce the risk of unauthorized access.