Open menu
-->

Data-Tier Instances Without Elastic or Public IP Addresses

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your data-tier instances are not associated with Elastic or Public IP addresses as these database instances don't have to be publicly reachable and must be protected from exposure. This conformity rule assumes that all AWS resources (including instances) created within your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Without an Elastic or Public IP address associated with your data-tier instance, no inbound traffic can reach the instance from the Internet. Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.

Audit

To determine if your database instances are associated with Public or Elastic IP Addresses, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <data_tier_tag> : <data_tier_tag_value>) and press Enter. This filtering method will return only the instances tagged for the data tier. If no results are returned, there are no instances tagged within your data tier and the audit process ends here. If the AWS console lists one or more instances, continue the audit with the next step.

06 Select the data-tier instance that you want to examine.

07 Select the Description tab from the dashboard bottom panel.

08 In the right column, check the IPv4 Public IP attribute value. If this attribute has an IP address set as value, the selected data-tier instance has an Elastic and/or Public IP currently assigned.

09 Repeat steps no. 6 – 8 to check other data-tier instances, launched in the selected region, for associated Elastic and/or Public IP addresses.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all instances available in the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested ID(s):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the instance that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-0abcabcabc1234567"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified instance is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified instance does not belong to your data tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "EngineVersion",
            "Key": "5.6"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. :), as shown in the example below, the verified AWS EC2 instance is tagged as a data-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<data_tier_tag>",
            "Value": "<data_tier_tag_value>"
        }
    ]
    

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the data-tier instance that you want to examine as identifier and custom filtering to determine whether the selected data-tier instance is associated with an Elastic/Public IP address:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0abcabcabc1234567
	--query "Reservations[*].Instances[*].NetworkInterfaces[*].Association.IpOwnerId[] | []"

07 The command output should return an empty array – if the instance has no Elastic/Public IP address assigned, "amazon" – if the instance has a Public IP and or the AWS account ID of the owner – if the selected instance is associated with an Elastic IP address:

[
    "amazon"
]

If the command output returns an AWS account ID (e.g. "123456789012") or "amazon" (as shown in the example above), the selected data-tier instance has an Elastic or a Public IP address assigned.

08 Repeat step no. 6 and 7 to verify other data-tier instances, provisioned in the selected region, for associated Elastic and/or Public IP addresses.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

Case A: To remove a Public IP address from a data-tier instance, you must re-launch the instance with the right network configuration. To re-launch your data-tier instance, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Select the data-tier instance that requires Public IP removal (see Audit section part I to identify the right AWS resource).

06 Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.

07 Inside Create Image dialog box, provide the following information:

  1. In the Image Name box, enter a name for the new AMI.
  2. In the Image description box, provide a description that reflects the usage of the instance selected.
  3. Leave No reboot option unchecked so that AWS can guarantee the file system integrity for the new AMI.
  4. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI build process may take few minutes. Once the process is complete, the image status should change from pending to available.

08 Once the AMI is ready, use it to re-launch the selected data-tier instance without a Public IP address. To launch the instance, perform the following actions:

  1. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  2. On Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 7.
  3. On Choose an Instance Type page, select the same instance type used by the source instance, then click Next: Configure Instance Details button.
  4. On Configure Instance Details page, select Disable from the Auto-assign Public IP dropdown list and configure any other options available on the page based on your requirements. Click Next: Add Storage without changing any configuration settings then click Next: Add Tags to set up the data-tier tags.
  5. On Add Tags page, create the required tag set, copied at step no. 1, then click Next: Configure Security Groups button.
  6. On Configure Security Groups, choose Select an existing security group and select the security group attached to the source data-tier instance. Click the Review and Launch button, review your data-tier instance configuration details and click Launch.
  7. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  8. Click View Instances to return to the Instances page. The new instance will have the same data and configuration (except the Public IP address) as the source instance.

09 Once you have verified the new data-tier instance, replace the source instance with the new instance within your application settings.

10 Now you can terminate the source data-tier instance in order to stop incurring AWS charges. To shut down the instance, perform the following actions:

  1. In the navigation panel, under INSTANCES, select Instances.
  2. Select the data-tier EC2 instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

11 Repeat steps no. 5 – 10 to remove Public IP addresses from other data-tier instances provisioned in the selected region.

12 Change the AWS region from the navigation bar and repeat steps no. 5 – 11 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings and copy the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run create-image command (OSX/Linux/UNIX) to create an image from the source data-tier instance (see Audit section part II to identify the right resource). Include --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-0abcabcabc1234567
	--name "AMI for data-tier instance with Public IP"
	--description "Prod Data Stack AMI"
	--no-reboot

03 The command output should return the ID of the new Amazon Machine Image (AMI):

{
    "ImageId": "ami-abcd1234"
} 

04 Execute run-instances command (OSX/Linux/UNIX) to launch a new data-tier EC2 instance from the image created at the previous steps. The following command example re-creates a data-tier instance using an AWS AMI with the ID ami-abcd5678, with tags set to <data_tier_tag>:<data_tier_tag_value>, without an associated Public IP address. Use --no-associate-public-ip-address parameter to avoid assigning automatically a Public IPv4 address to the new instance:

aws ec2 run-instances
	--region us-east-1
	--iam-instance-profile Name=cc-data-tier-iam-role
	--image-id ami-abcd5678
	--count 1
	--instance-type r3.large
	--key-name cc-ssh-key
	--security-groups cc-data-tier-sg
	--no-associate-public-ip-address
	--tag-specifications 'ResourceType=instance,Tags=[{Key=<data_tier_tag>,Value=<data_tier_tag_value>}]'

05 The command output should return the new data-tier instance metadata:

{
 
    {
            "OwnerId": "123456789012",
            "Instances": [
 
                    ...
 
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                     
                    ...
 
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

06 Once you have verified the new data-tier instance, replace the source instance with the new instance within your application settings.

07 Safely terminate the source instance in order to stop incurring AWS charges. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances 
	--instance-ids i-0abcabcabc1234567

08 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-0abcabcabc1234567",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

09 Repeat steps no. 2 – 8 to remove Public IP addresses from other data-tier instances launched in the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 for other regions.

Case B: To remove an Elastic IP (EIP) address from a data-tier instance, you need to disassociate the instance EIP. To disassociate the Elastic IP, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES, click Instances.

04 Select the data-tier instance associated with an Elastic IP (see Audit section part I to identify the right AWS resource).

05 Click the Actions dropdown button from the dashboard top menu, select Networking and click Disassociate Elastic IP Address.

06 In the Disassociate Elastic IP Address dialog box, review the EIP details then click Yes, Disassociate.

07 Repeat steps no. 4 – 6 to disassociate EIPs from other data-tier instances available in the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run describe-network-interfaces command (OSX/Linux/UNIX) to get the ID of the Elastic IP associated with your data-tier instance (see Audit section part II to identify the right instance).

aws ec2 describe-network-interfaces
	--region us-east-1
	--filters Name=attachment.instance-id,Values=i-0abcabcabc1234567
	--query "NetworkInterfaces[*].Association.AllocationId"

02 The command output should return the requested AWS Elastic IP ID:

[
    "eipalloc-0aabbccdd12345678"
]

03 Run disassociate-address command (OSX/Linux/UNIX) to detach the selected Elastic IP address from the data-tier instance:

aws ec2 disassociate-address 
	--association-id eipassoc-0aabbccdd12345678

04 Repeat steps no. 1 – 3 to disassociate Elastic IPs from other data-tier instances launched in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date Aug 31, 2018