Rule: EC2 Instances Should Not Have a Public IP Address
This rule emphasizes that EC2 instances must not be assigned a public IP address to enhance security measures.
| Rule | EC2 instances should not have a public IP address |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
EC2 instances that are part of the FedRAMP Low environment should not have a public IP address. Public IP addresses can introduce potential security risks by allowing direct access to the instances from the internet.
Troubleshooting Steps:
If an EC2 instance has a public IP address in the FedRAMP Low environment, follow these steps to troubleshoot and remediate the issue:
- 1.Identify the EC2 instance that has a public IP address in the FedRAMP Low environment.
- 2.Review the instance's network configuration and check if it is associated with a public subnet or if it has a public IP assigned.
- 3.Verify that the VPC to which the instance belongs is properly configured with private subnets only.
Remediation Steps:
To remove the public IP address from an EC2 instance in the FedRAMP Low environment, follow these steps:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the EC2 dashboard.
- 3.Select the EC2 instance that needs to have the public IP address removed.
- 4.Click on the "Actions" dropdown menu and select "Networking" followed by "Manage IP addresses".
- 5.In the "Manage IP addresses" dialog box, locate the public IP address associated with the instance and click on the "Disassociate" button.
- 6.After disassociating the public IP address, click on the "Save" button to apply the changes.
- 7.Verify that the public IP address has been successfully removed from the EC2 instance.
Code:
There is no specific code required to remove the public IP address from an EC2 instance. The remediation steps can be performed through the AWS Management Console.
Note: If you prefer using the AWS Command Line Interface (CLI), you can use the following command to disassociate the public IP address:
aws ec2 disassociate-address --public-ip <public_ip_address>
Replace
<public_ip_address>Additional Recommendations:
- 1.It is recommended to regularly monitor and review the network configurations of EC2 instances in the FedRAMP Low environment to ensure compliance with the "no public IP address" rule.
- 2.Use AWS Identity and Access Management (IAM) policies to control access to EC2 instances and restrict inbound connections to trusted sources only.
- 3.Consider using a bastion host or VPN connection for secure remote access to the instances, instead of relying on public IP addresses.