AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
DNS Resolution To Private IP Should Be Enabled
More Info:
This rule checks if DNS resolution from accepter/requester VPC to private IP is enabled. The rule is NON_COMPLIANT if DNS resolution from accepter/requester VPC to private IP is not enabled.
Risk Level
Medium
Address
Observability
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “DNS Resolution To Private IP Should Be Enabled” for an AWS EC2 instance using the AWS console, follow these steps:
-
Log in to the AWS Management Console: Go to https://aws.amazon.com/ and log in to your AWS account.
-
Navigate to the VPC Dashboard: In the AWS Management Console, navigate to the VPC Dashboard by selecting “Services” in the top menu, searching for “VPC” in the search bar, and clicking on “VPC”.
-
Select Your VPC: In the VPC Dashboard, select the VPC that your EC2 instance is associated with from the list of available VPCs.
-
Edit VPC Peering Connection: In the VPC Dashboard, click on “Peering Connections” in the left-hand menu. Find the peering connection associated with the VPC that your EC2 instance is in and select it.
-
Edit Peering Connection Options: In the peering connection details, click on the “Actions” dropdown menu and select “Edit Peering Connection Options”.
-
Enable Accepter/Requester VPC To Private IP: In the “Edit Peering Connection Options” window, find the option for “Accepter/Requester VPC To Private IP” and enable it by checking the box next to it.
-
Save Changes: After enabling the “Accepter/Requester VPC To Private IP” option, click on the “Save Changes” button to apply the configuration.
-
Verify Configuration: Once the changes are saved, verify that the “Accepter/Requester VPC To Private IP” is now enabled for the peering connection associated with your VPC.
By following these steps, you have successfully remediated the misconfiguration “DNS Resolution To Private IP Should Be Enabled” for your AWS EC2 instance using the AWS console.
To remediate the misconfiguration “DNS Resolution To Private IP Should Be Enabled” for AWS EC2 using AWS CLI, you can follow these steps:
-
Identify the security group associated with your EC2 instance:
aws ec2 describe-instances --instance-ids <your-instance-id> --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text -
Identify the VPC ID of your EC2 instance:
aws ec2 describe-instances --instance-ids <your-instance-id> --query 'Reservations[*].Instances[*].VpcId' --output text -
Enable “Accepter/Requester VPC To Private IP” setting in the security group:
aws ec2 modify-security-group-attribute --group-id <security-group-id> --region <your-region> --vpc-id <vpc-id> --ingress <ingress-rule>Replace
<security-group-id>,<your-region>,<vpc-id>, and<ingress-rule>with the actual values. The<ingress-rule>should allow traffic from the VPC CIDR range to the private IP of the EC2 instance. -
Verify the changes:
aws ec2 describe-security-groups --group-ids <security-group-id>
By following these steps, you should be able to remediate the misconfiguration “DNS Resolution To Private IP Should Be Enabled” for your AWS EC2 instance using AWS CLI.
To remediate the misconfiguration “DNS Resolution To Private IP Should Be Enabled” for AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to modify the VPC peering connection’s configuration. Here are the step-by-step instructions to remediate this issue:
-
Install Boto3: If you haven’t installed Boto3, you can install it using pip:
pip install boto3 -
Write a Python script to modify the VPC peering connection: Use the following Python script to enable the “Accepter/Requester VPC To Private IP” option for a specific VPC peering connection in AWS EC2:
import boto3 # Initialize the EC2 client ec2_client = boto3.client('ec2') # Specify the VPC peering connection ID that needs to be modified vpc_peering_connection_id = 'YOUR_VPC_PEERING_CONNECTION_ID' # Modify the VPC peering connection to enable Accepter/Requester VPC To Private IP response = ec2_client.modify_vpc_peering_connection( VpcPeeringConnectionId=vpc_peering_connection_id, RequesterPeeringConnectionOptions={ 'AllowDnsResolutionFromRemoteVpc': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowDnsResolutionFromRemoteVpcToLocalVpc': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowDnsResolutionFromLocalClassicLinkToRemoteVpc': False, 'AllowDnsResolutionFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False, 'AllowEgressFromLocalClassicLinkToRemoteVpc': False, 'AllowEgressFromLocalVpcToRemoteClassicLink': False } ) print('VPC peering connection configuration updated successfully.') -
Replace
'YOUR_VPC_PEERING_CONNECTION_ID'with the actual VPC peering connection ID that you want to modify. -
Run the Python script: Save the script in a file (e.g.,
remediate_vpc_peering_connection.py) and run it using Python:python remediate_vpc_peering_connection.py
This script will modify the specified VPC peering connection to enable the “Accepter/Requester VPC To Private IP” option in AWS EC2.