AWS-EC2-Public-IP-Address-EC2-Instances

Severity : High

Description: This control checks if EC2 instances have public IP address associated with instance ENIs. EC2 instances are reachable over the internet even if they have protections such as NACLs or security groups if a public IP address is associated with an instance. EC2 instances can contain sensitive information and access control is required. To minimize the risk of unauthorized access to your instances, do not allow public IP associations unless absolutely necessary.

Remediation Steps:

Perform following to disable Public IP association by default EC2 Instances in Subnet:

1. Login to the AWS Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the navigation pane, choose Subnets.

4. Select your subnet for the reported instance.

5. Choose Actions and Select Edit subnet settings.

6. In the Auto-assign IP settings, Clear the check box for Enable auto-assign public IPv4 address.

7. Choose Save.

Perform following to Remove Public IP association to the instances:

1. Login to the AWS Console at https://console.aws.amazon.com.

2. Navigate to EC2 console.

3. In the navigation pane, choose Instances.

4. Select the instance reported with the Public IP address, and stop the instance.

5. Select Action, Networking and Manage IP Addresses.

6. Select the interfaces and if Public IP address is allocated to ENI, Select Unassign.

7. Select Save.

Important:

Reference:

• PCI Data Security Standard (PCI DSS) 3.2.1 

• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip

• https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-Compute-Services.html