Profile Applicability:

  • Level 1

Description:

An EC2 instance can be assigned a public IP address (either via Elastic IP or through the default public IP) when it is launched in a public subnet. Public IPs allow the instance to be accessible from the internet, which can be useful for services such as web servers but can also present security risks if the instance is exposed unnecessarily. This SOP ensures that EC2 instances with public IPs are identified, and the associated security risks are evaluated.

Rationale:

Exposing EC2 instances to the internet via a public IP can increase the attack surface of the instance, potentially leading to unauthorized access or attacks. It is important to regularly check for instances that should not have public access, particularly in environments where the instances should be private or where exposure to the internet is not required. Identifying and controlling these IPs ensures better security posture and minimizes the risk of exposure.

Impact:

Pros:

  • Security Review: Helps to identify and mitigate unnecessary exposure of EC2 instances to the public internet.

  • Compliance: Ensures that EC2 instances comply with organizational security policies.

  • Control: Allows for more granular control over EC2 instances that require internet access.

Cons:

  • Internal Access: Instances with public IPs are often needed for specific public-facing applications (e.g., web servers, API services), and this check may require additional configuration for those use cases.

Default Value:

By default, EC2 instances in a public subnet may automatically receive public IPs if not explicitly configured otherwise. In some cases, Elastic IPs are manually associated with EC2 instances for persistent internet access.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeInstances

    • ec2:DescribeAddresses

  • AWS CLI installed and configured.

  • Basic understanding of public IPs and Elastic IPs in AWS.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the left-hand navigation pane, select Instances under Instances.

  4. Look for the Public IP column:

    • Instances with a public IP will show their public IP address in this column.

   

  1. For each EC2 instance, check the Public IP field:

    • If the field is populated, the instance has a public IP.

 

  1. Alternatively, check the Elastic IP allocation section under Elastic IPs in EC2 to identify if any Elastic IPs are associated with EC2 instances.

   

Using AWS CLI:

Run the following command to list all EC2 instances and their associated public IPs:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,PublicIP:PublicIpAddress}' --output table

This will display the Instance IDs and Public IPs associated with each EC2 instance.

To identify instances with Elastic IPs associated, use the following command:

aws ec2 describe-addresses --query 'Addresses[*].{IP:PublicIp,InstanceId:InstanceId}' --output table

 This will return a list of Elastic IPs and the Instance IDs to which they are associated.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

     

  1. In the Instances section, identify EC2 instances with Public IPs by checking the Public IP column.

     

  1. If an instance has a Public IP and it shouldn't, consider the following actions:

    • Disassociate the Elastic IP (if applicable) from the EC2 instance.

   

  • Modify the instance's security group and network configuration to restrict its public access.

     

  • If the instance should be private, ensure it is in a private subnet with NAT Gateway or VPN configured for internet access, rather than using a public IP.

 

Using AWS CLI:

List the EC2 instances and their associated Public IPs:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,PublicIP:PublicIpAddress}' --output table

List any Elastic IPs associated with EC2 instances:

aws ec2 describe-addresses --query 'Addresses[*].{IP:PublicIp,InstanceId:InstanceId}' --output table

For each EC2 instance that should not have a public IP, perform the following actions:

Disassociate the Elastic IP using:

aws ec2 disassociate-address --association-id <association-id>

  • Ensure that the instance is in a private subnet and restrict public access through security groups or Network ACLs.

Backout Plan:

If removing a public IP or Elastic IP from an instance causes functionality issues (e.g., web servers requiring public access):

Identify the affected EC2 instance.

Reassociate the Elastic IP to the instance:

aws ec2 associate-address --instance-id <instance-id> --public-ip <elastic-ip

Alternatively, modify the security group to allow access from trusted IPs or specific subnets rather than from the public internet.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.