Rule: EC2 Instances Should Not Have a Public IP Address
This rule enforces the restriction of public IP addresses for EC2 instances.
| Rule | EC2 instances should not have a public IP address |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
According to the FedRAMP Low Revision 4 compliance requirements, EC2 instances should not have a public IP address. This ensures that the instances are not directly accessible from the internet to minimize potential security risks. The absence of a public IP address enhances the security posture of the infrastructure by reducing the attack surface, making it less vulnerable to unauthorized access attempts.
Troubleshooting Steps:
If an EC2 instance in your AWS environment has a public IP address, follow these steps to troubleshoot and remediate the issue:
- 1.
Identify the EC2 instance: Determine the specific instance that has a public IP address assigned to it.
- 2.
Review the security group settings: Check the security groups associated with the instance to verify if any rules allow inbound traffic from the internet. It is crucial to ensure that there are no rules allowing access from 0.0.0.0/0 (any IP) or specific IP ranges associated with the public internet.
- 3.
Check for elastic IP associations: Confirm whether the instance has an elastic IP associated with it. Elastic IPs are publicly routable IP addresses that can be a potential security risk if wrongly assigned to an instance.
- 4.
Review the subnet configuration: Ensure that the subnet associated with the instance does not have a route table configured to send traffic directly to an internet gateway. Instances should ideally be placed in private subnets without internet connectivity.
- 5.
Validate Network ACL rules: Verify the Network ACL (Access Control List) associated with the subnet and ensure that there are no inbound or outbound rules allowing unrestricted traffic to or from the internet.
Remediation Steps:
To address the issue of an EC2 instance having a public IP address, follow these steps:
- 1.Remove the public IP address:
- Open the Amazon EC2 Management Console.
- Navigate to the Instances page.
- Select the instance that has a public IP address.
- Click on the "Actions" button and choose "Networking" → "Manage IP Addresses."
- In the "Manage IP Addresses" dialog, select the public IP address listed and click on "Disassociate."
- Confirm the disassociation of the public IP address.
- 1.Modify security group rules:
- Still in the EC2 Management Console, go to the "Security Groups" page.
- Locate the security group associated with the instance.
- Edit the inbound and outbound rules to restrict access to only necessary ports and specific IP ranges if required.
- Remove any rules that allow ingress/egress traffic from 0.0.0.0/0 or the public internet.
- 1.Check and remove elastic IP associations:
- In the EC2 Management Console, navigate to the "Elastic IPs" page.
- Identify any elastic IP associated with the instance and release it if not required. Release the elastic IP by selecting it and clicking on "Release addresses."
- 1.Reconfigure the subnet:
- Go to the "Subnets" page in the EC2 Management Console.
- Find the subnet associated with the instance.
- Check the route table associated with the subnet and modify it to remove any explicit route entries sending traffic to the internet gateway. Ensure that the default route points to an internal network or a NAT gateway if required.
- 1.Validate Network ACL rules:
- In the EC2 Management Console, go to the "Network ACLs" page.
- Locate the Network ACL associated with the subnet.
- Modify the inbound and outbound rules of the Network ACL to deny all unnecessary inbound/outbound traffic from the internet.
By following the above steps, you can ensure that EC2 instances in your environment do not have public IP addresses and comply with the FedRAMP Low Revision 4 requirement. Regular monitoring and auditing are recommended to maintain compliance and address any deviations promptly.