AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 Instance Should Not Be In Public Subnet
More Info:
No backend EC2 instances should be running in public subnets.
Risk Level
High
Address
Security
Compliance Standards
HIPAA, SOC2, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the EC2 instance in a public subnet in AWS, follow these steps:
-
Open the AWS Management Console and navigate to the VPC dashboard.
-
Select the VPC containing the public subnet that the EC2 instance is in.
-
Select the Subnets tab and then select the public subnet that the EC2 instance is in.
-
Select the Route Table tab and then select the route table associated with the public subnet.
-
Remove the route that allows traffic to the internet gateway. This will prevent any traffic from the internet from reaching the EC2 instance.
-
Create a new route table and associate it with the public subnet.
-
Add a route to the new route table that allows traffic to reach the internet gateway. This will allow any traffic from the EC2 instance to reach the internet.
-
Launch a new EC2 instance in a private subnet and associate it with the new route table. This will ensure that the EC2 instance is not accessible from the internet.
-
Terminate the old EC2 instance in the public subnet.
By following these steps, you can remediate the misconfiguration of having an EC2 instance in a public subnet in AWS.
To remediate the misconfiguration of having an EC2 instance in a public subnet in AWS using AWS CLI, follow these steps:
-
Identify the public subnet in which the EC2 instance is running. You can do this by checking the subnet’s route table and confirming that it has a route to an Internet Gateway.
-
Create a new private subnet in the same VPC as the public subnet. This new subnet should have a non-overlapping CIDR block and should not have a route to an Internet Gateway.
-
Stop the EC2 instance that is running in the public subnet.
-
Modify the instance’s network interface to move it from the public subnet to the new private subnet. You can do this using the following command:
aws ec2 modify-network-interface-attribute --network-interface-id <network-interface-id> --subnet-id <new-private-subnet-id>
Replace <network-interface-id> with the ID of the network interface attached to the EC2 instance, and <new-private-subnet-id> with the ID of the new private subnet you created.
-
Start the EC2 instance.
-
Verify that the EC2 instance now has a private IP address in the new private subnet and does not have a public IP address. You can do this by checking the instance’s network interface settings.
To remediate the misconfiguration of an EC2 instance in a public subnet in AWS using Python, you can follow the below steps:
- First, you need to identify the EC2 instances that are in the public subnet. You can do this by using the
describe_instancesmethod of theboto3library in Python.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_instances(
Filters=[
{
'Name': 'subnet-id',
'Values': [
'subnet-0123456789abcdef0',
]
},
]
)
for reservation in response['Reservations']:
for instance in reservation['Instances']:
print(instance['InstanceId'])
Replace the subnet-id with the ID of the public subnet.
- Once you have identified the instances, you need to move them to a private subnet. To do this, you can modify the network interface of the instance and attach it to a private subnet. You can use the
modify_network_interface_attributemethod of theboto3library to do this.
import boto3
ec2 = boto3.client('ec2')
response = ec2.modify_network_interface_attribute(
NetworkInterfaceId='eni-0123456789abcdef0',
Groups=[
'sg-0123456789abcdef0',
],
Description={
'Value': 'Modified description'
}
)
print(response)
Replace the NetworkInterfaceId with the ID of the network interface of the instance that you want to modify. Also, replace the sg-0123456789abcdef0 with the ID of the security group that you want to attach to the network interface.
- After modifying the network interface, you need to verify that the instance is now in the private subnet. You can do this by checking the
SubnetIdattribute of the instance using thedescribe_instancesmethod.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_instances(
InstanceIds=[
'i-0123456789abcdef0',
],
)
for reservation in response['Reservations']:
for instance in reservation['Instances']:
print(instance['SubnetId'])
Replace the i-0123456789abcdef0 with the ID of the instance that you want to check.
By following these steps, you can remediate the misconfiguration of an EC2 instance in a public subnet in AWS using Python.