🛡️ AWS EC2 Instance without a public IP address is in a public subnet🟢

• Contextual name: 🛡️ Instance without a public IP address is in a public subnet🟢
• ID: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Instance
  • 🔌 AWS VPC Route Table Association - object.extracts.yaml
  • 🔌 AWS VPC Route - object.extracts.yaml
  • 🔌 AWS EC2 Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

EC2 Instances without a public IPv4/IPv6 address are unable to connect to the internet through the Internet Gateway.

If an EC2 Instance is intended to be public, it is necessary to assign it a public IP address. It is advisable to migrate an EC2 instance to a private subnet, if it does not require internet access.

In case the subnet is misconfigured, consider removing the direct route to an Internet Gateway within the public subnet consequently making it private.

Rational

It is recommended to use a Bastion Host or NAT Device to provide internet access to EC2 instances in a private subnet.

• A Bastion Host serves as a secure entry point for SSH or RDP access, allowing administrators to manage instances without exposing them directly to the internet.
• Similarly, a NAT Device enables instances in a private subnet to initiate outbound traffic to the internet while preventing unsolicited inbound connections. These approaches improve security by controlling access points and minimizing the attack surface.

... see more

Remediation

Open File

Remediation

From Command Line

Remove an Internet Gateway Route from a Route Table

Run the following command to delete a route from a route table:

aws ec2 delete-route --route-table-id {{route-table-id}}

Replace {{route-table-id}} with the actual route table ID.

Associate a Subnet with a Route Table without an Internet Gateway Route

You can disassociate a subnet from a route table and associate it with a route table that does not have an internet gateway route. Until you associate the subnet with another route table, it will be implicitly associated with the main route table.

Disassociate a subnet from a route table

aws ec2 disassociate-route-table --association-id {{association-id}}

Replace {{association-id}} with the actual association ID representing the current association between the route table and subnet.

Associate a subnet with a route table

aws ec2 associate-route-table --route-table-id {{route-table-id}} --subnet-id {{subnet-id}}

Replace {{route-table-id}} with the actual route table ID and {subnet-id}} with the ID of the subnet you want to associate.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 System Configuration			45		no data