EC2 instance should not have public IP

ID

ec2_public_ip

Severity

high

Vendor

AWS

Resource

EC2 Instance

Tags

reachable

Description

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud.

Keeping EC2 confined into the VPC until it’s really necessary is the preferable option from a security perspective.

Examples

CloudFormation

{
  "Resources": {
    "EC2InstanceResource": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-989491289078sad",
        "NetworkInterfaces": [
          {
            "AssociatePublicIpAddress": true, (1)
            "DeviceIndex": "0",
            "GroupSet": [
              "myVPCEC2SecurityGroup"
            ],
            "SubnetId": "PublicSubnet"
          }
        ]
      }
    }
  }
}
1 AssociatePublicIpAddress set to true means EC2 instance has public address. 
Resources:
  EC2InstanceResource1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-989491289078sad
      NetworkInterfaces:
        - AssociatePublicIpAddress: true (1)
          DeviceIndex: "0"
          GroupSet:
            - "myVPCEC2SecurityGroup"
          SubnetId: "PublicSubnet"
1 AssociatePublicIpAddress set to true means EC2 instance has public address.

Terraform

resource "aws_instance" "private" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  associate_public_ip_address = true (1)
}

resource "aws_launch_template" "private" {
  image_id      = "ami-12345"
  instance_type = "t3.micro"

  network_interfaces {
    associate_public_ip_address = true (1)
  }
}
1 The associate_public_ip_address attribute is set to true.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "EC2InstanceResource": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-989491289078sad",
        "NetworkInterfaces": [
          {
            "AssociatePublicIpAddress": false, (1)
            "DeviceIndex": "0",
            "GroupSet": [
              "myVPCEC2SecurityGroup"
            ],
            "SubnetId": "PublicSubnet"
          }
        ]
      }
    }
  }
}
1 AssociatePublicIpAddress set to false means EC2 instance has no public address. 
Resources:
  EC2InstanceResource1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-989491289078sad
      NetworkInterfaces:
        - AssociatePublicIpAddress: false (1)
          DeviceIndex: "0"
          GroupSet:
            - "myVPCEC2SecurityGroup"
          SubnetId: "PublicSubnet"
1 AssociatePublicIpAddress set to false means EC2 instance has no public address.

Terraform

resource "aws_instance" "private" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  associate_public_ip_address = false (1)
}

resource "aws_launch_template" "private" {
  image_id      = "ami-12345"
  instance_type = "t3.micro"

  network_interfaces {
    associate_public_ip_address = false (1)
  }
}
1 Ensure the associate_public_ip_address attribute is set to false (the default option when none is set is false).

Runtime

AWS Console

To modify the EC2 IP settings go to the Amazon VPC Console:

  • In the navigation pane, select Subnets.

  • Select a subnet, then select Subnet Actions > Modify auto-assign IP settings.

  • When auto-assign public IPv4 address is selected, a public IPv4 address for all instances launched into the selected subnet. When it’s not selected then the instance remains private.

  • Click Save.