Open menu
-->

App-Tier EC2 Instances Without Elastic or Public IP Addresses

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your app-tier EC2 instances are not associated with Elastic or Public IP addresses as these instances don't have to be publicly reachable. This conformity rule assumes that all AWS resources created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

When your app-tier EC2 instances are not associated with Elastic or Public IP addresses, no inbound traffic can reach the instances from the Internet. Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if your app-tier EC2 instances are associated with Public or Elastic IPs, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier EC2 Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering technique will return only the instances tagged for the app tier. If no results are returned, there are no EC2 instances tagged within your app tier and the audit process ends here. If the AWS console lists one or more instances, continue the audit with the next step.

06 Select the app-tier EC2 instance that you want to examine.

07 Select the Description tab from the dashboard bottom panel.

08 In the right column, check the IPv4 Public IP attribute value. If the IPv4 Public IP attribute has an IP address set as value, the selected app-tier EC2 instance has an Elastic and/or Public IP assigned.

09 Repeat steps no. 6 – 8 to check other app-tier EC2 instances, launched in the selected region, for associated Elastic and/or Public IP addresses.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access App-Tier EC2 Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 instances available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0aabbccdd12345678  |
|  i-012345678abcdabcd  |
|  i-0abcabcabc1234567  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-0aabbccdd12345678"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified instance is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 instance does not belong to your app tier, therefore the audit process for the selected resource stops here:
    [
        {
            "Value": "Management",
            "Key": "Third-Party"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS EC2 instance is tagged as a app-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<app_tier_tag>",
            "Value": "<app_tier_tag_value>"
        }
    ]
    

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the app-tier instance that you want to examine as identifier and custom filters to determine whether the selected app-tier EC2 instance is associated with an Elastic/Public IP address:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0aabbccdd12345678
	--query "Reservations[*].Instances[*].NetworkInterfaces[*].Association.IpOwnerId[] | []"

07 The command output should return an empty array – if the instance has no Elastic/Public IP address assigned, "amazon" – if the instance has a Public IP and or the AWS account ID of the owner – if the selected instance is associated with an Elastic IP address:

[
    "amazon"
]

If the command output returns an AWS account ID (e.g. "123456789012") or "amazon" (as shown in the example above), the selected app-tier EC2 instance has an Elastic or a Public IP address assigned.

08 Repeat step no. 6 and 7 to verify other app-tier EC2 instances, provisioned in the selected region, for associated Elastic and/or Public IP addresses.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

Case A: To remove a Public IP address from an app-tier EC2 instance, you must re-launch the instance with the appropriate network configuration. To re-launch your app-tier instance, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier EC2 Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Select the app-tier instance that requires Public IP removal (see Audit section part I to identify the right EC2 resource).

06 Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.

07 Inside Create Image dialog box, provide the following details:

  1. In the Image Name box, enter a name for the new AMI.
  2. In the Image description box, provide a description that reflects the usage of the EC2 instance selected.
  3. Leave No reboot option unchecked so that AWS can guarantee the file system integrity for the new AMI.
  4. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI build process may take few minutes. Once the process is complete, the image status should change from pending to available.

08 Once the AMI is ready, use it to re-launch the selected app-tier instance without a Public IP address. To launch the instance, perform the following:

  1. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  2. On Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 7.
  3. On Choose an Instance Type page, select the same instance type used by the source instance, then click Next: Configure Instance Details button.
  4. On Configure Instance Details page, select Disable from the Auto-assign Public IP dropdown list and configure any other options available on the page based on your application needs. Click Next: Add Storage without changing any configuration settings then click Next: Add Tags to set up the app-tier tags.
  5. On Add Tags page, create the necessary tag set, copied at step no. 1, then click Next: Configure Security Groups button.
  6. On Configure Security Groups, choose Select an existing security group and select the security group attached to the source app-tier EC2 instance. Click the Review and Launch button, review your app-tier instance configuration details and click Launch.
  7. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  8. Click View Instances to return to the Instances page.

09 Once the new instance is verified, replace the source EC2 instance with the new instance within your app-tier load balancer configuration.

10 Terminate the source EC2 instance in order to stop incurring charges for the resource. To shut down the instance, perform the following actions:

  1. In the navigation panel, under INSTANCES, select Instances.
  2. Select the app-tier EC2 instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

11 Repeat steps no. 5 – 10 to remove Public IP addresses from other app-tier EC2 instances provisioned in the selected region.

12 Change the AWS region from the navigation bar and repeat steps no. 5 – 11 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access App-Tier EC2 Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run create-image command (OSX/Linux/UNIX) to create an image from the source app-tier EC2 instance (see Audit section part II to identify the right resource). Include --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-0aabbccdd12345678
	--name "AMI for app-tier instance with Public IP attached"
	--description "Application Stack AMI"
	--no-reboot

03 The command output should return the ID of the new Amazon Machine Image (AMI):

{
    "ImageId": "ami-1234abcd"
} 

04 Execute run-instances command (OSX/Linux/UNIX) to launch a new app-tier EC2 instance from the image created at the previous steps. The following command example re-creates a app-tier instance using an AWS AMI with the ID ami-1234abcd, with tags set to <app_tier_tag>:<app_tier_tag_value>, without an associated Public IP address. Use --no-associate-public-ip-address parameter to skip associating a Public IPv4 address to the new EC2 instance:

aws ec2 run-instances
	--region us-east-1
	--iam-instance-profile Name=cc-app-tier-iam-role
	--image-id ami-1234abcd
	--count 1
	--instance-type m4.large
	--key-name cc-access-key
	--security-groups cc-app-tier-sg
	--no-associate-public-ip-address
	--tag-specifications 'ResourceType=instance,Tags=[{Key=<app_tier_tag>,Value=<app_tier_tag_value>}]'

05 The command output should return the new app-tier instance configuration metadata:

{
 
    {
            "OwnerId": "123456789012",
            "Instances": [
 
                    ...
 
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                     
                    ...
 
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

06 Once the new instance is verified, replace the source EC2 instance with the new instance within your app-tier ELB configuration settings.

07 Now you can safely terminate the source instance. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances 
	--instance-ids i-0aabbccdd12345678

08 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-0aabbccdd12345678",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

09 Repeat steps no. 2 – 8 to remove Public IP addresses from other app-tier EC2 instances launched in the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 for other regions.

Case B: To remove an Elastic IP (EIP) address from an app-tier EC2 instance, you need to disassociate the instance EIP. To disassociate the existing Elastic IP, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES, click Instances.

04 Select the app-tier instance associated with the Elastic IP (see Audit section part I to identify the right EC2 resource).

05 Click the Actions dropdown button from the dashboard top menu, select Networking and click Disassociate Elastic IP Address.

06 In the Disassociate Elastic IP Address dialog box, review the EIP details then click Yes, Disassociate.

07 Repeat steps no. 4 – 6 to disassociate EIPs from other app-tier EC2 instances available in the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run describe-network-interfaces command (OSX/Linux/UNIX) to get the ID of the Elastic IP associated with your app-tier instance (see Audit section part II to identify the right instance).

aws ec2 describe-network-interfaces
	--region us-east-1
	--filters Name=attachment.instance-id,Values=i-0aabbccdd12345678
	--query "NetworkInterfaces[*].Association.AllocationId"

02 The command output should return the requested AWS Elastic IP ID:

[
    "eipalloc-0abcdabcd12345678"
]

03 Run disassociate-address command (OSX/Linux/UNIX) to detach the selected Elastic IP address from the app-tier EC2 instance:

aws ec2 disassociate-address 
	--association-id eipassoc-abcdabcd12345678

04 Repeat steps no. 1 – 3 to disassociate Elastic IPs from other app-tier EC2 instances launched in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date Aug 31, 2018