Description:

A public IP address is an IPv4 address that’s reachable from the Internet. These public addresses can be used for communication between your instances and the Internet. It is assigned to your instance from Amazon’s pool of public IPv4 addresses, it is not associated with your AWS account. If a public IP address is disassociated from your instance, it is released back into the public IPv4 address pool, and you cannot reuse it.


Rationale:

Instances are usually deployed behind an internet-facing load balancer and don’t have to be publicly reachable. for this reason, we make sure that any EC2 instances are not associated with a public IP address. 

If your instance is associated with a public address, it means it is accessible directly through the vulnerable internet. There are many malicious activities over the internet so prevent your instances through this policy.


Impact:

If EC2 instances are associated with public IP it makes your instance more vulnerable and attackers may harm your system or instances and may attackers try DoS attacks. If you make sure instances have no public Ip then it prevents from DoS attack, MITM. And attackers or hackers are unable to figure out your instances over the internet.


Default Value:

When you launch an instance in a default VPC, we assign it a public IP address by default. If you launch an instance into non-default VPC, the subnet has an attribute that determines whether instances launched into that subnet receive a public address from the public IPv4 address pool. By default, we don’t assign a public IP address to instances launched in a non-default subnet.


Pre-Requisite:

  • When you launch a new instance do not enable the auto-assign public IP address.

  • Do not select your default VPC and subnet at the launch time of the instance. 

  •  Before implementation, you must take a snapshot of your instance

Remediation:

Use a non-default VPC so that your instance is not assigned a public IP address by default.

When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool. 


Test Plan:

  • Login to AWS Management Console 

  • Go to the EC2 console at https://console.aws.amazon.com/ec2/

  •  In the left navigation pane, choose Instances and select your instance to examine whether public IP is associated or not

  • Go to the Network tab 

  • Under Networking, details check Public IPv4 address is associated or not

    If you notice a public IP address is associated follow the implementation part


Using AWS CLI:

To describe an instance

  1. Use the run-instances command with the --no-associate-public-ip-address

  2. Execute the modify-subnet-attribute command with --no-map-customer-owned-ip-on-launch

aws ec2 describe-instances \
    --instance-ids i-xxxxxxxxxxxxxxxxx



Implementation Steps:

  1. Login to AWS Management Console 

  2. Go to the EC2 console at https://console.aws.amazon.com/ec2/

  3.  In the left navigation pane, choose Instances

  4. Select the instance that you want to remove public IP
  5. Click on Actions, select Image and templates, and click on Create image 
  6. select Images and templates, 
  7. click on Create image 

Inside Create image page, provide the details as follows

  1. Enter a name for the new AMI in the Image Name 

  2. Describe in the Image description box(optional) 

  3. Leave the No reboot option unchecked so that AWS can guarantee the file system integrity for the new AMI.
  4. Click Create Image

It will take a few minutes to create the image and the status will change from pending to available.

  1. After the AMI image is available use it to re-launch the instance. Follow the steps to launch the instance:

    1. Click the Launch Instance button from the EC2 dashboard 

    2. choose My AMIs tab, on Choose an Amazon Machine Image (AMI) page, then select the AMI created in step no. 6.
    3. Select the same instance type used by the source instance, on Choose an Instance Type page,  then click the Next: Configure Instance Details button.
    4. Select Disable from the Auto-assign Public IP dropdown list and configure any other options available on the page based on your needs, on Configure Instance Details page. Click Next: Add Storage without changing any configuration settings. 
    5. Click Next: Add Tags, add tags as per your requirement
    6. Choose Select an existing security group and select the security group attached to the source EC2 instance, on Configure Security Groups.
    7.  Click the Review and Launch button, review your instance configuration details and click Launch.
    8. In the Select, an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  2. Once the new instance is available replace the old instance with a new instance within your load balancer configuration settings.
  3. Now you can terminate the old EC2 instance. Follow the steps to do:
    1. Select the instance and click on Instance state

    2. Choose Terminate Instance



Backout Plan:

You get to attach the old volume to the new instance. Follow the steps 

  1. Navigate to the EC2 console at https://console.aws.amazon.com/ec2/

  2. Click on volumes under the EBS section

  3. Select the volume you want to attach and click on Actions

  4. And choose Attach Volume


Using AWS CLI:

To create the instance from AMI  

 aws ec2 run-instances
[--block-device-mappings <value>]
[--image-id <value>]


Reference:

  1. ec2-instance-no-public-ip - AWS Config 

  2. Amazon EC2 instance IP addressing - Amazon Elastic Compute Cloud 

  3. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-9