Data-Tier Instances Without Elastic or Public IP Addresses

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings, and identify the tag set defined for the AWS cloud resources available within your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Instances, choose Instances.

05 Click inside the Filter instances box located under the console top menu, and choose the tag set defined for your data tier resources, identified at step no. 1, from the Tags list. This filtering technique will return only the EC2 instances tagged for the data tier. If the data tier tag is not included in the Tags list, there are no EC2 instances tagged within your data tier and the Audit process ends here. If the data-tier tag is included in the Tags list and the Amazon EC2 console returns one or more instances, continue the Audit process with the next step.

06 Select the data-tier Amazon EC2 instance that you want to examine.

07 Choose the Details tab from the console bottom panel to access the instance configuration details.

08 In the Instance summary section, check the Public IPv4 address configuration attribute value. If the Public IPv4 address attribute value is set to an IPv4 address, the selected data-tier Amazon EC2 instance is using a Public/Elastic IP address that is reachable from the Internet.

09 Repeat steps no. 6 – 8 for each data-tier Amazon EC2 instance returned as result at step no. 5.

10 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Data-Tier Instances Without Elastic or Public IP Addresses conformity rule settings, and identify the tag set defined for the AWS cloud resources available within your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run describe-instancescommand (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 instances available in the selected AWS region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
|  i-0abcd1234abcd1234  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected EC2 instance:

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=resource-id,Values=i-01234abcd1234abcd"
  --query 'Tags[*].{Value:Value, Key:Key}'

05 The describe-tags command should return one of the following outputs:

1. If the command output returns an empty array (i.e. []), as shown in the example below, the verified EC2 instance is not tagged, therefore the Audit process for the selected resource ends here:
   []
   

2. If the describe-tags command output returns a tag set that is different from the one identified at step no. 1, as shown in the example below, the verified EC2 instance does not belong to your data tier, therefore the Audit process for the selected resource ends here:
   [
   	{
   		"Value": "Environment",
   		"Key": "Production"
   	}
   ]
   

3. If the command output returns a tag set that matches the one identified at step no. 1 (e.g. <data_tier_tag>:<data_tier_tag_value>), as shown in the example below, the verified EC2 instance is tagged as a data-tier resource, therefore the Audit process continues with the next step:
   [
   	{
   		"Key": "<data_tier_tag>",
   		"Value": "<data_tier_tag_value>"
   	}
   ]
   

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the data-tier Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to determine whether the selected data-tier instance is associated with a Public or an Elastic IP address:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query "Reservations[*].Instances[*].NetworkInterfaces[*].Association.IpOwnerId[] | []"

07 The command output should return an empty array – if the verified instance has no public IP address assigned, "amazon" – if the instance has a public IP address, or the AWS account ID of the owner – if the selected instance is associated with an Elastic IP address:

[
	"amazon"
]

08 Repeat steps no. 6 and 7 for each data-tier Amazon EC2 instance available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the data-tier EC2 instance that you want to re-create (see the Audit section part I section to identify the right resource).

05 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.

06 On the Create image setup page, provide the following information:

1. In the Image name box, enter a unique name for the new AMI.
2. (Optional) In the Image description box, provide a short description that reflects the usage of the selected data-tier instance.
3. Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
4. (Optional) For Tags, chooseTag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
5. Choose Create image to create your new AMI.

07 Once the new image is ready, use it to relaunch your data-tier EC2 instance within a private subnet, without attaching a public IP address. On the Instances listing page, choose Launch instances and perform the following operations:

1. For Step 1: Choose an Amazon Machine Image (AMI), choose My AMIs tab, and select the Amazon Machine Image (AMI) created at step no. 6.
2. For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source, non-compliant data-tier instance). Choose Next: Configure Instance Details to continue the setup process.
3. For Configure Instance Details, perform the following actions:
   • Select the private subnet that you want to use from the Subnet dropdown list or choose Create new subnet to create a new private VPC subnet. A private subnet is a VPC subnet with no Internet Gateway (IGW) attached.
   • Select Disable from the Auto-assign Public IP dropdown list to launch the new backend instance without a public IP address.
   • Configure the identity management, behavior, and metadata settings. The new instance configuration must match the source data-tier instance configuration. Choose Next: Add Storage to continue the setup process.
4. For Step 4: Add Storage, configure the storage device settings, then click Next: Add Tags to set up the instance tags.
5. For Step 5: Add Tags, use the Add tag button to apply the data-tier tags (e.g. <data_tier_tag>:<data_tier_tag_value>) to the new Amazon EC2 instance. Use the same data-tier tag set as the one defined in the conformity rule settings. Choose Configure Security Group to continue the setup process.
6. For Step 6: Configure Security Group, choose Select an existing security group and select the security group(s) associated with the source, non-compliant data-tier EC2 instance. Choose Review and Launch to continue.
7. For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
8. In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new app-tier Amazon EC2 instance.
9. Choose View Instances to return to the Instances page.

08 (Optional) Once the new data-tier Amazon EC2 instance is deployed to the specified private subnet, you can terminate the source, non-compliant instance in order to stop adding charges for that EC2 resource. To shut down the required instance, perform the following actions:

1. In the navigation panel, under Instances, choose Instances.
2. Select the data-tier EC2 instance that you want to terminate.
3. Choose Instance state and select Terminate instance.
4. In the Terminate instance? confirmation box, review the instance details, then choose Terminate to shut down the selected EC2 instance.

09 Repeat steps no. 3 – 8 for other data-tier EC2 instances available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information available for the data-tier Amazon EC2 instance that you want to re-create (see the Audit section part II section to identify the right resource):

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[]'

02 The command output should return an array with the requested configuration information:

[
	{
		"AmiLaunchIndex": 0,
		"ImageId": "ami-0abcd1234abcd1234",
		"InstanceId": "i-01234abcd1234abcd",
		"InstanceType": "t2.micro",
		"KeyName": "conformity",
		"LaunchTime": "2021-03-10T10:00:00+00:00",
		"Monitoring": {
			"State": "disabled"
		},
		"Placement": {
			"AvailabilityZone": "us-east-1a",
			"GroupName": "",
			"Tenancy": "default"
		},
		"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
		"PrivateIpAddress": "10.0.0.15",
		"ProductCodes": [],
		"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
		"PublicIpAddress": "10.0.1.20",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"StateTransitionReason": "",
		"SubnetId": "subnet-abcd1234",
		"VpcId": "vpc-1234abcd",
		"Architecture": "x86_64",
		"BlockDeviceMappings": [
			{
				"DeviceName": "/dev/xvda",
				"Ebs": {
					"AttachTime": "2021-03-10T10:00:00+00:00",
					"DeleteOnTermination": true,
					"Status": "attached",
					"VolumeId": "vol-0abcd1234abcd1234"
				}
			}
		],
		"ClientToken": "",
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"IamInstanceProfile": {
			"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
			"Id": "ABCDABCDABCDABCDABCDA"
		},
		"NetworkInterfaces": [
			{
				"Association": {
					"IpOwnerId": "amazon",
					"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
					"PublicIp": "10.0.1.20"
				},
				"Attachment": {
					"AttachTime": "2021-03-10T10:00:00+00:00",
					"AttachmentId": "eni-attach-0abcd1234abcd1234",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attached",
					"NetworkCardIndex": 0
				},
				"Description": "Primary network interface",
				"Groups": [
					{
						"GroupName": "cc-prod-security-group",
						"GroupId": "sg-01234abcd1234abcd"
					}
				],
				"Ipv6Addresses": [],
				"MacAddress": "0e:53:19:7b:62:6b",
				"NetworkInterfaceId": "eni-0abcd1234abcd1234",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
				"PrivateIpAddress": "10.0.0.15",
				"PrivateIpAddresses": [
					{
						"Association": {
							"IpOwnerId": "amazon",
							"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
							"PublicIp": "10.0.1.20"
						},
						"Primary": true,
						"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
						"PrivateIpAddress": "10.0.0.15"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-abcd1234",
				"VpcId": "vpc-1234abcd",
				"InterfaceType": "interface"
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupName": "cc-prod-security-group",
				"GroupId": "sg-01234abcd1234abcd"
			}
		],
		"SourceDestCheck": true,
		"Tags": [
			{
				"Key": "<data_tier_tag>",
				"Value": "<data_tier_tag_value>"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 2,
			"ThreadsPerCore": 4
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"HibernationOptions": {
			"Configured": false
		},
		"MetadataOptions": {
			"State": "applied",
			"HttpTokens": "optional",
			"HttpPutResponseHopLimit": 1,
			"HttpEndpoint": "enabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		}
	}
]

03 Run create-image command (OSX/Linux/UNIX) to create an image from the source data-tier EC2 instance described in the previous step. Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --name "Data-Tier EC2 Instance AMI"
  --description "Data-Tier Production Image"
  --no-reboot

04 The command output should return the ID of the new Amazon Machine Image (AMI):

{
	"ImageId": "ami-0abcdabcdabcdabcd"
}

05 Execute run-instances command (OSX/Linux/UNIX) to launch a new data-tier EC2 instance from the AMI created at the previous steps. Use the information returned at step no. 2 for the instance configuration parameters. Configure the --subnet-id command parameter with the ID of your private VPC subnet and include the --no-associate-public-ip-address parameter in the command request to avoid assigning automatically a Public IPv4 address to the new data-tier EC2 instance. Replace <data_tier_tag> and <data_tier_tag_value> with your own data-tier tag set:

aws ec2 run-instances
  --region us-east-1
  --image-id ami-0abcdabcdabcdabcd
  --count 1
  --instance-type t2.micro
  --key-name conformity
  --security-group-ids sg-01234abcd1234abcd
  --iam-instance-profile Name="ec2-manager-role"
  --subnet-id subnet-abcdabcd
  --no-associate-public-ip-address
  --tag-specifications 'ResourceType=instance,Tags=[{Key=<data_tier_tag>,Value=<data_tier_tag_value>}]'

06 The command output should return the configuration metadata for the newly created data-tier EC2 instance:

{
	"Groups": [],
	"Instances": [
		{
			"AmiLaunchIndex": 0,
			"ImageId": "ami-0abcdabcdabcdabcd",
			"InstanceId": "i-01234123412341234",
			"InstanceType": "t2.micro",
			"KeyName": "conformity.aws",
			"LaunchTime": "2021-03-22T17:29:43+00:00",
			"Monitoring": {
				"State": "disabled"
			},
			"Placement": {
				"AvailabilityZone": "us-east-1e",
				"GroupName": "",
				"Tenancy": "default"
			},
			"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
			"PrivateIpAddress": "10.0.0.5",
			"ProductCodes": [],
			"PublicDnsName": "",
			"State": {
				"Code": 0,
				"Name": "pending"
			},
			"StateTransitionReason": "",
			"SubnetId": "subnet-abcdabcd",
			"VpcId": "vpc-1234abcd",
			"Architecture": "x86_64",
			"BlockDeviceMappings": [],
			"EbsOptimized": false,
			"EnaSupport": true,
			"Hypervisor": "xen",
			"IamInstanceProfile": {
				"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
				"Id": "ABCDABCDABCDABCDABCD"
			},
			"NetworkInterfaces": [
				{
					"Attachment": {
						"AttachTime": "2021-03-22T17:29:43+00:00",
						"AttachmentId": "eni-attach-0abcd1234abcd1234",
						"DeleteOnTermination": true,
						"DeviceIndex": 0,
						"Status": "attaching",
						"NetworkCardIndex": 0
					},
					"Description": "",
					"Groups": [
						{
							"GroupName": "cc-prod-security-group",
							"GroupId": "sg-01234abcd1234abcd"
						}
					],
					"Ipv6Addresses": [],
					"MacAddress": "06:00:c7:12:51:99",
					"NetworkInterfaceId": "eni-0abcd1234abcd1234",
					"OwnerId": "123456789012",
					"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
					"PrivateIpAddress": "10.0.0.5",
					"PrivateIpAddresses": [
						{
							"Primary": true,
							"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
							"PrivateIpAddress": "10.0.0.5"
						}
					],
					"SourceDestCheck": true,
					"Status": "in-use",
					"SubnetId": "subnet-abcdabcd",
					"VpcId": "vpc-1234abcd",
					"InterfaceType": "interface"
				}
			],
			"RootDeviceName": "/dev/xvda",
			"RootDeviceType": "ebs",
			"SecurityGroups": [
				{
					"GroupName": "cc-prod-security-group",
					"GroupId": "sg-01234abcd1234abcd"
				}
			],
			"SourceDestCheck": true,
			"Tags": [
				{
					"Key": "<data_tier_tag>",
					"Value": "<data_tier_tag_value>"
				}
			],
			"StateReason": {
				"Code": "pending",
				"Message": "pending"
			},
			"VirtualizationType": "hvm",
			"CpuOptions": {
				"CoreCount": 1,
				"ThreadsPerCore": 1
			},
			"CapacityReservationSpecification": {
				"CapacityReservationPreference": "open"
			},
			"MetadataOptions": {
				"State": "pending",
				"HttpTokens": "optional",
				"HttpPutResponseHopLimit": 1,
				"HttpEndpoint": "enabled"
			},
			"EnclaveOptions": {
				"Enabled": false
			}
		}
	],
	"OwnerId": "123456789012",
	"ReservationId": "r-0abcd1234abcd1234"
}

07 (Optional) Once the new data-tier Amazon EC2 instance is deployed to the specified private VPC subnet, you can terminate the source, non-compliant instance in order to stop adding charges for that EC2 resource. To shut down the required instance, run terminate-instances command (OSX/Linux/UNIX) using the instance ID as the identifier parameter:

aws ec2 terminate-instances
  --instance-ids i-01234abcd1234abcd

08 The output should return the terminate-instances command request metadata:

{
	"TerminatingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 32,
				"Name": "shutting-down"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

09 Repeat steps no. 1 – 8 for other data-tier EC2 instances available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 9 for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, select Elastic IPs.

04 Select the Elastic IP address attached to the data-tier Amazon EC2 instance, choose Actions, and select Disassociate Elastic IP address.

05 In the Dissociate Elastic IP address confirmation box, review the EIP details, then choose Disassociate.

06 Select the same IP address, choose Actions and select Release Elastic IP addresses.

07 Repeat steps no. 4 – 6 for other non-compliant data-tier EC2 instances available within the current AWS region.

08 Change the AWS region from the console navigation bar and repeat the remediation process for other regions.

01 Run describe-network-interfaces command (OSX/Linux/UNIX) to describe the ID of the Elastic IP (EIP) association with your data-tier Amazon EC2 instance:

aws ec2 describe-network-interfaces
  --region us-east-1
  --filters Name=attachment.instance-id,Values=i-01234abcd1234abcd
  --query "NetworkInterfaces[*].Association.AssociationId"

02 The command output should return the requested association ID:

[
	"eipassoc-0abcdabcdabcdabcd"
]

03 Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the non-compliant data-tier EC2 instance (the command does not produce an output):

aws ec2 disassociate-address
  --association-id eipassoc-0abcdabcdabcdabcd

04 Repeat steps no. 1 – 3 for other non-compliant data-tier EC2 instances available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.