Ensure that no backend EC2 instances are provisioned in public subnets in order to protect them from exposure to the Internet. In this context, backend instances are EC2 instances that do not require direct access to the public internet such as database, API or caching servers. As best practice, all EC2 instances that are not Internet-facing should run within a private subnet, behind a NAT gateway that allows downloading software updates and implementing security patches or accessing other AWS resources like SQS and SNS.
By provisioning EC2 instances within a private subnet (logically isolated section of VPC) you will prevent these instances from receiving inbound traffic initiated by someone on the Internet, therefore have a stronger guarantee that no malicious requests can reach your backend instances. Note: For this rule Cloud Conformity assumes that your EC2 instances are running within a VPC that has both public and private subnets.
To determine if your backend EC2 instances are running within AWS VPC public subnets, perform the following:
To move your backend EC2 instances from public subnets to private subnets, you must re-launch these instances within the right subnets. To implement the instance(s) migration, perform the following: