0

Recently I have run security assessment of my AWS resources using AWS Security Hub. As a result, under the AWS Foundational Security Best Practices v1.0.0 category, there is a failure that saying

EC2 instances should not have a public IPv4 address

If this instance without public IP, how to access this instance through internet?

I would like to great explanation about this security best practice that EC2 instances should not have a public IP address

Thiwanka Wickramage
  • 782
  • 1
  • 10
  • 22

3 Answers3

4

Typically, only a Load Balancer is exposed to the Internet. It then forwards traffic to Amazon EC2 instances spread across multiple Availability Zones.

The Load Balancer can filter traffic and can route traffic to an appropriate destination based upon the requested path in the URL.

This way, nobody can access the EC2 instance (eg via RDP or SSH).

Administrators should be capable of accessing the VPC via an VPN or Direct Connect connection rather than going via the Internet.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • may be this silly question, what if there different applications(instances) in that subnet, then how to point to specific application using ALB ? – Thiwanka Wickramage Apr 20 '21 at 12:13
  • 1
    The Load Balancer is given **Target Groups**. Rules tell the load balancer which target group should receive the traffic. Instances are assigned to Target Groups. Target Groups can also be configured to point to **specific ports** where the applications are running. – John Rotenstein Apr 20 '21 at 12:15
  • Another way to access the server without a public IP might be SSM[[1](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html)][[2](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)][[3](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html)]. But first prize is VPN\Direct Connect - I once had a situation where I couldn't SSM into a server because its diskspace was full, but SSH'ing into the server over the VPN still worked. – dutoitns Apr 20 '21 at 13:37
  • Yes, using AWS Systems Manager Session Manager is an excellent way to connect to an instance! It can even connect to instances in Private Subnets because it connects via a software agent on the instance, which establishes an _outbound_ connection to AWS Systems Manager. Access can also be controlled by IAM and logged by AWS CloudTrail. – John Rotenstein Apr 20 '21 at 23:09
1

EC2 instances should not have a public IPv4 address

That might be referring to an EC2 instance in a private subnet. For EC2 instances in a public subnet you will need an IP to receive web traffic.

As per the VPC FAQ:

enter image description here

For security, make sure the security group associated with the public EC2 instance only allows traffic on the required ports. Eg a webserver should only need to have an inbound rule (ingress) for say port 80. You do not need to define an outbound rule (egress) because the response to the inbound rule (ingress) will still be allowed.

Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

As per my preceding comment on one of the other answers - you can get away without allowing inbound traffic for the SSH port by using SSM (excluding the edge case I noted)

The answer doesn't change if you use a loadbalancer. I tried to provision an ASG (auto scaling group) in a public subnet and in Cloudformation specified that the implementation shouldn't associate public IP addresses with the EC2 instances. The ASG never got success signals from the EC2 instances and the Cloudformation deployment was rolled back.

enter image description here

dutoitns
  • 1,949
  • 1
  • 26
  • 32
  • Oh, be careful when you create IP addresses - make sure they're correctly associated with your NAT gateway or you will get charged for having an IP address that you're not using. Some documentation [here](https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/) – dutoitns Apr 21 '21 at 14:14
  • No its in the public subnet. my use case, my client have a EC2 instance that need to access through the internet(http) and sometimes SSH. In the security assessment saying EC2 instances should not have a public IPv4 address. as experiment I just remove the public IP and create a ALB and pointed to the that instance. then security assessment getting passed. but I don't like to use ALB for single instance – Thiwanka Wickramage Apr 21 '21 at 15:28
  • Interesting!! Can the instance connect to the internet without a public IP? For example, can you execute `yum update -y --security` on it so that it can retrieve security-related patches from the internet? – dutoitns Apr 22 '21 at 15:36
  • instance can access internet through NAT gateway that don't need a public IP. Without public IP we cannot access instance through internet. I think their intention to implement complete architecture that using vpc, subnets, nat, igw and elb. In my use case I don't need ALB but have to use. – Thiwanka Wickramage Apr 22 '21 at 19:49
  • Thanks!! I picked up I ran my test in a subnet without a NAT gateway - so now makes sense that the ASG didn't receive success signals when I removed the public IP as I run `yum update -y --security` when the EC2 instance starts - so it would have needed a route to the internet to start successfully. I'll also just add an [egress-only internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html) for IPv6 but probably not that important yet. (NAT gateways use IPv4) – dutoitns Apr 23 '21 at 03:39
  • If you don't use an ALB - how would you manage your HTTPs certificates? I have an ACM certificate on my ALB and then I don't worry about HTTPs past the ALB. From what I've read this is an acceptable approach and that people that also add certificates to the actual EC2 instances do it more for bureaucratic reasons (to check a checkbox, but communication within the confines of the VPC past the ALB should be secure) – dutoitns Apr 23 '21 at 03:41
0

I think you are facing this security issue because of the subnet configuration. Check if the subnet configuration has Auto Assign public IP enabled.

Public instance is placed in this subnet will by default receive a Public IP. This is what AWS mentions as a security issue.

You should manually enable Public IP each time a new EC2 instance is put into the subnet even if its a public subnet

Check this link

Ruban Raj
  • 11
  • 2