Rule: EC2 instances should not have a public IP address
This rule ensures EC2 instances do not have a public IP address for enhanced security.
| Rule | EC2 instances should not have a public IP address |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
According to NIST 800-53 Revision 5, it is recommended that EC2 instances should not have a public IP address. This rule aims to improve the security posture of the infrastructure by minimizing potential attack vectors and reducing the exposure of instances to the public internet.
Troubleshooting Steps:
- 1.
Identify EC2 instances with public IP addresses:
- Access the AWS Management Console.
- Navigate to the EC2 service.
- Select the desired region.
- In the instances list, check the "Public IP" column to identify instances with public IP addresses.
- 2.
Review instance requirements:
- Determine if the instance genuinely requires direct internet access.
- Evaluate if the instance can be accessed via a private network or if inbound/outbound traffic can be routed through a gateway.
- 3.
Verify security group settings:
- Check the associated security groups for instances with public IP addresses.
- Ensure that inbound rules are configured correctly to restrict access to necessary ports and sources.
- Remove any unnecessary inbound rules that may expose the instance to the public internet.
- 4.
Check network ACLs:
- Inspect the network ACL settings for the subnets where the instances reside.
- Validate that inbound and outbound rules are appropriately configured, limiting access to required traffic only.
- Remove any rules that allow unwanted traffic from the public internet.
- 5.
Validate routing configurations:
- Review the routing tables associated with the subnets where the instances are located.
- Ensure that any default or custom routes do not inadvertently allow public internet access.
- Adjust the routing configurations to restrict traffic to private networks if necessary.
Remediation Steps:
- 1.
Remove public IP:
- For instances that do not require a public IP address, you can disassociate the public IP using the following AWS CLI command:
aws ec2 modify-instance-attribute --instance-id <instance-id> --no-associate-public-ip-addressReplace
with the ID of the instance you want to modify.<instance-id> - 2.
Adjust security group settings:
- Update security group rules to allow traffic only from trusted sources or within the private network.
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --source-security-group <source-security-group-id>Replace
,<security-group-id>
,<protocol>
, and<port>
with the appropriate values for your security group configuration.<source-security-group-id> - 3.
Review network ACLs:
- Update inbound and outbound network ACL rules to restrict traffic to necessary sources and destinations.
aws ec2 create-network-acl-entry --network-acl-id <network-acl-id> --protocol <protocol> --rule-action <rule-action> --rule-number <rule-number> --cidr-block <cidr-block> --port-range From <port> To <port>Replace
,<network-acl-id>
,<protocol>
,<rule-action>
,<rule-number>
,<cidr-block>
, and<port>
with the appropriate values for your network ACL configuration.<port> - 4.
Update routing configurations:
- Adjust routing tables to ensure instances are not accessible from the public internet.
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <destination-cidr-block> --gateway-id <gateway-id>Replace
,<route-table-id>
, and<destination-cidr-block>
with the appropriate values for your routing configuration.<gateway-id>Note:
should be the ID of the internet gateway associated with your VPC.<gateway-id>
By following the above steps, you can ensure compliance with NIST 800-53 Revision 5 by removing public IP addresses from EC2 instances and securing your infrastructure.