Ensure public IP address is not used AWS EC2 instances

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

Sign in to the AWS console and go to the EC2 console.
In the navigation pane, under Networking & Security, select Elastic IPs.
Choose the IP address to disassociate, then select Actions and Disassociate Elastic IP address.

In Terraform -

In the aws_instance resource, set the associate_public_ip_address attribute to false.

References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating-different
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address

Policy Details

Rule Reference ID: AC_AWS_0392

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_instance

Resource Category: Compute

Resource Type: Elastic Cloud Compute (EC2)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0