Ensure AWS EC2 instances with public IP and associated with security groups do not have Internet access

Error: AWS EC2 instances with public IP and associated with security groups have Internet access

Bridgecrew Policy ID: BC_AWS_PUBLIC_12
Checkov Check ID: CKV_AWS_88
Severity: HIGH

AWS EC2 instances with public IP and associated with security groups have Internet access

Description

A public IP address is an IPv4 address that is reachable from the Internet. You can use public addresses for communication between your instances and the Internet. Each instance that receives a public IP address is also given an external DNS hostname.

We recommend you control whether your instance receives a public IP address as required.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon VPC console.
  3. In the navigation pane, select Subnets.
  4. Select a subnet, then select Subnet Actions > Modify auto-assign IP settings.
  5. Select auto-assign public IPv4 address. When selected, requests a public IPv4 address for all instances launched into the selected subnet. Select or clear the setting as required.
  6. Click Save.

Fix - Buildtime

Terraform

  • Resource: aws_instance
  • Argument: associate_public_ip_address - (Optional) Associate a public ip address with an instance in a VPC. Boolean value.
resource "aws_instance" "bar" {
  ...
- associate_public_ip_address = true
}

CloudFormation

  • Resource: AWS::EC2::Instance / AWS::EC2::LaunchTemplate
  • Argument: NetworkInterfaces.AssociatePublicIpAddress - (Optional) Associate a public ip address with an instance in a VPC. Boolean value.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties: 
      ...
      NetworkInterfaces: 
        - ...
-                   AssociatePublicIpAddress: true

  EC2LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        ...
        NetworkInterfaces: 
          - ...
-           AssociatePublicIpAddress: true

Did this page help you?