EC2 instances should not have a public IP association (IPv4)¶
Description¶
EC2 instances are reachable over the internet even if you have protections such as NACLs or security groups if a public IP address is associated with an instance. To minimize the risk of unauthorized access to your instances, do not allow public IP associations unless absolutely necessary.
Remediation Steps¶
AWS Console¶
Modify the public IPv4 addressing attribute¶
Navigate to the VPC console.
In the navigation pane, choose Subnets.
Select your subnet and choose Subnet Actions, Modify auto-assign IP settings.
The Enable auto-assign public IPv4 address check box, if selected, requests a public IPv4 address for all instances launched into the selected subnet. Select or clear the check box as required, and then choose Save.
Disable the public IP addressing feature¶
Navigate to EC2.
Choose Launch Instance.
Select an AMI and an instance type, and then choose Next: Configure Instance Details.
On the Configure Instance Details page, for Network, select a VPC. The Auto-assign Public IP list is displayed. Choose Disable to override the default setting for the subnet.
AWS CLI¶
Use the
run-instances
command with the--no-associate-public-ip-address
, orExecute the
modify-subnet-attribute
command with--no-map-customer-owned-ip-on-launch
, or
CloudFormation¶
JSON¶
Ensure that AWS::EC2::Instance contains the following:
{
"Properties" : {
"NetworkInterfaces": {
"AssociatePublicIpAddress": false
}
}
}
JSON Example Configuration¶
{
"Type" : "AWS::EC2::Instance",
"Properties" : {
"NetworkInterfaces": {
"AssociatePublicIpAddress": false
}
}
# other required fields here
}
YAML¶
Ensure that AWS::EC2::Instance contains the following:
Properties:
NetworkInterfaces:
AssociatePublicIpAddress: false
Example¶
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
AssociatePublicIpAddress: false
# sother required fields here
Terraform¶
Ensure that the aws_instance
associate_public_ip_address
field is set to “false”.
Example Configuration¶
resource "aws_instance" "example" {
associate_public_ip_address = false
# other required fields here
}