Rule: EC2 Instances Should Not Have a Public IP Address
This rule ensures that EC2 instances do not have a public IP address to enhance security.
| Rule | EC2 instances should not have a public IP address |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Description:
The rule dictates that EC2 instances should not be assigned a public IP address for Federal Financial Institutions Examination Council (FFIEC) compliance. Public IP addresses can expose sensitive data and pose a security risk for FFIEC regulated institutions. EC2 instances should only have private IP addresses to ensure data confidentiality and meet compliance requirements.
Troubleshooting Steps:
If an EC2 instance within an FFIEC regulated environment is found to have a public IP address, the following troubleshooting steps can be followed:
- 1.
Verify the existing EC2 instance configuration:
- Go to the AWS Management Console.
- Open the EC2 service.
- Find the EC2 instance in question.
- 2.
Check if the instance has a public IP assigned:
- Select the EC2 instance.
- Look for the "Public IP" field in the description.
- If a public IP address is present, further actions are needed.
- 3.
Understand the reason for the public IP assignment:
- Determine if the public IP was intentionally assigned for a legitimate use case.
- Evaluate the necessity of the public IP while considering FFIEC compliance requirements.
- If the public IP is deemed unnecessary, proceed to remediation steps.
Remediation:
To remove the public IP address from the EC2 instance, follow the step-by-step guide below:
- 1.
Allocate an Elastic IP address:
- Go to the AWS Management Console.
- Open the EC2 service.
- Navigate to the "Elastic IPs" section in the left sidebar.
- Click on the "Allocate new address" button.
- Choose the Amazon's pool or specify a particular pool to allocate the Elastic IP.
- 2.
Associate the Elastic IP with the EC2 instance:
- Select the newly allocated Elastic IP address.
- Click on the "Actions" button.
- Choose "Associate IP address."
- In the "Associate Elastic IP address" dialog box, select the EC2 instance from the drop-down menu.
- Click on the "Associate" button to associate the Elastic IP with the EC2 instance.
- 3.
Verify the removal of the public IP:
- Go to the AWS Management Console.
- Open the EC2 service.
- Find the EC2 instance.
- Verify that the "Public IP" field in the description is now empty.
- 4.
Test the instance connectivity:
- Attempt to connect to the EC2 instance using its private IP address.
- Ensure that necessary security group rules are configured to allow desired inbound and outbound traffic.
- Verify that the EC2 instance functions properly without a public IP address.
Additional Notes:
- Removing the public IP address from the EC2 instance ensures compliance with FFIEC regulations.
- In case the instance requires temporary public access for specific tasks, it is recommended to use bastion hosts or AWS Systems Manager Session Manager for secure remote access instead of assigning a permanent public IP.
- Regularly review your EC2 instances to ensure ongoing compliance with FFIEC regulations.