EC2 Instance Should Not Be In Public Subnet
More Info:
No backend EC2 instances should be running in public subnets.Risk Level
HighAddress
SecurityCompliance Standards
HIPAA, SOC2, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the EC2 instance in a public subnet in AWS, follow these steps:
- Open the AWS Management Console and navigate to the VPC dashboard.
- Select the VPC containing the public subnet that the EC2 instance is in.
- Select the Subnets tab and then select the public subnet that the EC2 instance is in.
- Select the Route Table tab and then select the route table associated with the public subnet.
- Remove the route that allows traffic to the internet gateway. This will prevent any traffic from the internet from reaching the EC2 instance.
- Create a new route table and associate it with the public subnet.
- Add a route to the new route table that allows traffic to reach the internet gateway. This will allow any traffic from the EC2 instance to reach the internet.
- Launch a new EC2 instance in a private subnet and associate it with the new route table. This will ensure that the EC2 instance is not accessible from the internet.
- Terminate the old EC2 instance in the public subnet.
Using CLI
Using CLI
To remediate the misconfiguration of having an EC2 instance in a public subnet in AWS using AWS CLI, follow these steps:Replace
- Identify the public subnet in which the EC2 instance is running. You can do this by checking the subnet’s route table and confirming that it has a route to an Internet Gateway.
- Create a new private subnet in the same VPC as the public subnet. This new subnet should have a non-overlapping CIDR block and should not have a route to an Internet Gateway.
- Stop the EC2 instance that is running in the public subnet.
- Modify the instance’s network interface to move it from the public subnet to the new private subnet. You can do this using the following command:
<network-interface-id> with the ID of the network interface attached to the EC2 instance, and <new-private-subnet-id> with the ID of the new private subnet you created.- Start the EC2 instance.
- Verify that the EC2 instance now has a private IP address in the new private subnet and does not have a public IP address. You can do this by checking the instance’s network interface settings.
Using Python
Using Python
To remediate the misconfiguration of an EC2 instance in a public subnet in AWS using Python, you can follow the below steps:Replace the Replace the Replace the
- First, you need to identify the EC2 instances that are in the public subnet. You can do this by using the
describe_instancesmethod of theboto3library in Python.
subnet-id with the ID of the public subnet.- Once you have identified the instances, you need to move them to a private subnet. To do this, you can modify the network interface of the instance and attach it to a private subnet. You can use the
modify_network_interface_attributemethod of theboto3library to do this.
NetworkInterfaceId with the ID of the network interface of the instance that you want to modify. Also, replace the sg-0123456789abcdef0 with the ID of the security group that you want to attach to the network interface.- After modifying the network interface, you need to verify that the instance is now in the private subnet. You can do this by checking the
SubnetIdattribute of the instance using thedescribe_instancesmethod.
i-0123456789abcdef0 with the ID of the instance that you want to check.By following these steps, you can remediate the misconfiguration of an EC2 instance in a public subnet in AWS using Python.