EC2 instances Should Not Be Publicly Accessible
More Info:
Unknown EC2 instances should not be publicly accessible. It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.Risk Level
MediumAddress
SecurityCompliance Standards
HIPAA, NIST, SOC2Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of EC2 instances being publicly accessible in AWS Security Groups, follow these steps using the AWS Management Console:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your account.
- Navigate to EC2 Dashboard: Go to the EC2 Dashboard by clicking on the “Services” dropdown menu at the top left corner, selecting “EC2” under the Compute section.
- Identify the EC2 Instance: Identify the EC2 instance(s) that are publicly accessible. You can do this by checking the “Instance State” and “Instance Type” columns in the EC2 Dashboard.
- Identify Security Group: Click on the EC2 instance that you want to remediate and scroll down to the “Description” tab. Under the Security group section, you will see the security group associated with the EC2 instance.
- Edit Security Group Rules: Click on the security group associated with the EC2 instance. This will take you to the “Inbound” tab of the security group.
- Remove Public Access: Identify the rule that allows public access (e.g., SSH port 22 or HTTP port 80) and click on the “Edit” button.
- Modify Rule: In the Edit inbound rules window, select the rule that allows public access and click on the “Delete” button to remove it.
- Save Changes: Click on the “Save rules” button to apply the changes to the security group.
- Verify Changes: Go back to the EC2 Dashboard, select the EC2 instance, and verify that it is no longer publicly accessible by checking the public IP address field.
- Repeat for Other Instances: Repeat the above steps for any other EC2 instances that are publicly accessible.
Using CLI
Using CLI
To remediate the issue of EC2 instances being publicly accessible in AWS using the AWS CLI, follow these steps:
- Identify the security group associated with the EC2 instance that is publicly accessible. You can do this by describing the instance and noting the security group ID.
- Describe the inbound rules of the identified security group to check if there are any rules allowing public access.
- Remove the inbound rule that allows public access (usually with
0.0.0.0/0as the source) using the revoke-security-group-ingress command.
<security-group-id> with the actual security group ID, <port-number> with the specific port number (e.g., 22 for SSH, 80 for HTTP, 443 for HTTPS), and 0.0.0.0/0 with the appropriate source IP range if needed.- Verify that the inbound rule has been successfully removed by describing the security group again.
Using Python
Using Python
To remediate the misconfiguration of EC2 instances being publicly accessible in AWS using Python, you can create a script that will update the security group rules to restrict access only to specific IP addresses or ranges. Here are the steps to remediate this issue:
-
Install the Boto3 library:
- Make sure you have the Boto3 library installed in your Python environment. You can install it using pip:
- Make sure you have the Boto3 library installed in your Python environment. You can install it using pip:
-
Write a Python script to update the security group rules:
-
Use the following Python script as a template to update the security group rules for your EC2 instances:
-
Use the following Python script as a template to update the security group rules for your EC2 instances:
- Replace ‘your_security_group_id’ with the actual security group ID of your EC2 instance.
-
Define the IP ranges that should have access to the EC2 instance in the
ip_rangesvariable. -
Run the Python script:
- Save the Python script in a file, for example,
update_security_group.py, and run it using the Python interpreter:
- Save the Python script in a file, for example,
-
Verify the changes:
- After running the script, verify that the security group rules have been updated to restrict access to the specified IP ranges only.