Rule: EC2 Instances Should Not Have a Public IP Address
This rule highlights the necessity of securing EC2 instances by not allowing public IP addresses.
| Rule | EC2 instances should not have a public IP address |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Description
The rule/policy states that EC2 instances should not have a public IP address for GxP (Good Practice) compliance, specifically aligned with the regulations outlined in 21 CFR (Code of Federal Regulations) Part 11. This regulation pertains to electronic records and electronic signatures used in FDA (Food and Drug Administration) regulated environments. It ensures that EC2 instances in such environments do not have direct access from the public internet to maintain data security, confidentiality, and integrity.
Troubleshooting Steps (if applicable)
- 1.
Verify the EC2 instance settings: Check if the EC2 instance has a public IP address assigned. If it does, proceed with the remediation steps.
- 2.
Review network settings: Confirm whether the EC2 instance is part of a VPC (Virtual Private Cloud) or a Classic network. Depending on the network configuration, different steps may be required for remediation.
- 3.
Validate Security Group rules: Ensure that the associated Security Group(s) for the EC2 instance restrict inbound access to essential services and private IP ranges only.
- 4.
Confirm network ACLs: If using a VPC, verify the Network ACLs (Access Control Lists) associated with the relevant subnet(s). Review the rules to ensure that inbound and outbound access is appropriately restricted.
Remediation Steps
For EC2 Instances in a VPC
- 1.
Access the AWS Management Console and navigate to the EC2 Dashboard.
- 2.
Locate the EC2 instance that needs to be remediated and select it.
- 3.
In the details pane, note down the following information associated with the EC2 instance: VPC ID, subnet ID, security group(s) ID.
- 4.
Navigate to the VPC Dashboard.
- 5.
Locate and select the VPC identified in step 3.
- 6.
In the navigation pane, go to "Subnets".
- 7.
Locate and select the subnet identified in step 3.
- 8.
In the details pane, note down the Network ACL ID associated with the subnet.
- 9.
Navigate to the "Security Groups" section.
- 10.
Locate and select the security group(s) identified in step 3.
- 11.
Review the inbound rules for each selected security group.
- Remove any rules that allow access from the public IP and ensure that only private IP ranges or specific IPs are allowed.
- 12.
Navigate to the "Network ACLs" section.
- 13.
Locate and select the Network ACL identified in step 8.
- 14.
Review the inbound and outbound rules associated with the Network ACL.
- Remove any rules that allow access from the public IP and ensure that only private IP ranges or specific IPs are allowed.
- 15.
Save the changes made to the security group(s) and network ACL(s).
For EC2 Instances in a Classic Network
- 1.
Access the AWS Management Console and navigate to the EC2 Dashboard.
- 2.
Locate the EC2 instance that needs to be remediated and select it.
- 3.
In the details pane, note down the Security Group(s) ID associated with the EC2 instance.
- 4.
Navigate to the "Security Groups" section.
- 5.
Locate and select the security group(s) identified in step 3.
- 6.
Review the inbound rules for each selected security group.
- Remove any rules that allow access from the public IP and ensure that only private IP ranges or specific IPs are allowed.
- 7.
Save the changes made to the security group(s).
Code (if applicable)
No specific code is provided for this rule. The remediation steps involve using the AWS Management Console to modify the network settings associated with the EC2 instance, such as Security Groups and Network ACLs.