EC2 subnet instance should not expose public IP
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | NETWORK |
Description
In general, it is good practice to limit the number of public interfaces in the VPC. Doing so reduces the attack surface and potential data leaks or compromissions.
In particular, instances in a subnet should not expose a public IP.
AWS best practices dictate that applications in a subnet do not expose a public IP directly, and instead route all external traffic through a Network Address Translation (NAT) Gateway to properly configure Access Control Lists (ACLs) at the NAT level. This facilitates network monitoring and enhances Distributed Denial of Service (DDoS) resiliency.
Concentrating your public interfaces in this manner reduces the attack surface of the VPC.
Additional services can be deployed between your subnet application and the internet, such as Elastic Load Balancing or Amazon API Gateway and contribute to reducing the attack surface.
Note that having no public IP is now the default for the aws_subnet
resource.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | False |
Having a public IP on a subnet instance risks exposing data, and leaves it open to Distributed Denial of Service (DDoS) attacks.
Potentially, the whole subnet may be subsequently affected.
Remediation guidelines
Depending on the VPC configuration, several options are available:
- Disable public IP mapping;
- If this subnet must be exposed, consider using a common gateway as a common public interface;
- Review the ACLs associated with the exposed resources.