Rule: EC2 Instances Should Not Have a Public IP Address
This rule ensures that EC2 instances do not have public IP addresses for enhanced security measures.
| Rule | EC2 instances should not have a public IP address |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Compliance Rule: EC2 Instances Should Not Have Public IP Addresses
To align with the CISA Cyber Essentials, Amazon EC2 instances should be configured without public IP addresses to reduce the risk of exposure to cyber threats. Publicly accessible instances can be vulnerable to security breaches. By ensuring that EC2 instances do not have public IP addresses, you limit the potential attack surface.
Description of the Rule
The rule requires EC2 instances to only have private IP addresses within the Virtual Private Cloud (VPC) and not to be directly accessible from the internet. Instances should be kept private and only reachable through controlled access points such as a bastion host, VPN, or AWS Direct Connect. This is a security measure that helps to ensure the principle of least privilege and protects the instances against unauthorized access and potential attacks.
Troubleshooting Steps
- 1.
Identify Instances with Public IPs: First, determine if any instances are running with associated public IP addresses.
- 2.
Review Security Groups and NACLs: Security Groups and Network Access Control Lists (NACLs) should be checked to ensure they do not allow unrestricted inbound access to the instances.
- 3.
Check VPC Configuration: Ensure that the VPCs and subnets are configured so that instances do not automatically receive public IP addresses.
- 4.
Audit IAM Policies: Review IAM policies to ensure that permissions are set to prevent users from assigning public IPs.
- 5.
Monitoring and Logging: Use AWS CloudTrail and other monitoring services to gain visibility into actions that may violate the rule.
Necessary Codes and CLI Commands
Here are some AWS CLI commands that may help in identifying and remediating non-compliant EC2 instances:
List All EC2 Instances with Public IP addresses
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,PublicIpAddress]' --output text
Disassociate Public IP Addresses
aws ec2 disassociate-address --public-ip <public-IP-address>
Modify Subnet Attribute to Prevent Auto-assign Public IP
aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch
Updating Security Group to Restrict Ingress Traffic
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 0-65535 --cidr 0.0.0.0/0
Step by Step Guide for Remediation
- 1.
Identify Public Instances: Use the provided AWS CLI command to list all EC2 instances along with their public IP addresses, if any.
- 2.
Remove Public IPs: For each identified instance with a public IP, use the
command to remove the public IP.disassociate-address - 3.
Modify Subnet Settings: Change the subnet's setting to prevent auto-assigning of public IP addresses with the
command.modify-subnet-attribute - 4.
Update Security Groups: Adjust the security group rules to ensure they don't allow traffic from any IP address, effectively preventing public internet access.
- 5.
Implement IAM Policies: Create or modify IAM policies that restrict users from attaching public IPs to instances.
- 6.
Monitor Compliance: Regularly monitor and audit the environment using AWS CloudTrail, AWS Config, and other tools to ensure ongoing compliance with this rule.
Following these steps will help to ensure that your AWS environment remains compliant with the CISA Cyber Essentials and reduce the risk of internet-based threats. Remember to only allow strict, necessary access to your EC2 instances, ideally through secure connections like VPNs or through AWS VPC endpoints.