Skip to main content

πŸ“ AWS EC2 Instance without a public IP address is in a public subnet 🟒

  • Contextual name: πŸ“ Instance without a public IP address is in a public subnet 🟒
  • ID: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Logic​

Description​

Open File

Description​

EC2 Instances without a public IPv4/IPv6 address are unable to connect to the internet through the Internet Gateway.

If an EC2 Instance is intended to be public, it is necessary to assign it a public IP address. It is advisable to migrate an EC2 instance to a private subnet, if it does not require internet access.

In case the subnet is misconfigured, consider removing the direct route to an Internet Gateway within the public subnet consequently making it private.

Rational​

It is recommended to use a Bastion Host or NAT Device to provide internet access to EC2 instances in a private subnet.

  • A Bastion Host serves as a secure entry point for SSH or RDP access, allowing administrators to manage instances without exposing them directly to the internet.
  • Similarly, a NAT Device enables instances in a private subnet to initiate outbound traffic to the internet while preventing unsolicited inbound connections. These approaches improve security by controlling access points and minimizing the attack surface.

... see more

Remediation​

Open File

Remediation​

From Command Line​

Remove an Internet Gateway Route from a Route Table​

Run the following command to delete a route from a route table:

aws ec2 delete-route --route-table-id {{route-table-id}}

Replace {{route-table-id}} with the actual route table ID.

Associate a Subnet with a Route Table without an Internet Gateway Route​

You can disassociate a subnet from a route table and associate it with a route table that does not have an internet gateway route. Until you associate the subnet with another route table, it will be implicitly associated with the main route table.

Disassociate a subnet from a route table​
aws ec2 disassociate-route-table --association-id {{association-id}}

Replace {{association-id}} with the actual association ID representing the current association between the route table and subnet.

Associate a subnet with a route table​
aws ec2 associate-route-table --route-table-id {{route-table-id}} --subnet-id {{subnet-id}}

Replace {{route-table-id}} with the actual route table ID and {subnet-id}} with the ID of the subnet you want to associate.

policy.yaml​

Open File