By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

security hub questions about ec2 instance

0

What is the best solution to address the security vulnerability report regarding an EC2 instance with the error message 'EC2 instances should not have a public IPv4 address.

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Security HubAmazon EC2
Language
English
emmanlaw32
asked 6 months ago177 views
3 Answers
1
Accepted Answer

Hi,

The best practice is to have your EC2 in the private subnets (not having public IP address). Depends on your case, you should:

  • Have an ELB in front of it (ALB or NLB). It will help to expose only specific ports and increases your HA if you have more than one EC2 instances.
  • Have CloudFront in from of it. It will help with caching and your instances is not accessible directly by the clients.
  • Have access to it via VPN. If this instances serves only internal users, you can put it behind the VPN to increase security.

Of course, it's just recommendation and you can show what controls you set to mitigate different risks and acknowledge others.

profile picture
EXPERT
Dmytro Sirant
answered 6 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago
  • emmanlaw32
    6 months ago

    But the problem is I already have this EC2 Instance running in a public subnet with a public IP address. How is it possible to apply this solution to an already running instance, running in a public subnet with a public IP address?

  • Didier_Durand EXPERT
    6 months ago

    Agreed with Dmytro. On your additional question: is the EC2 publicly via its IP address directly or via a DNS name. If you use DNS, you can create the new implementation with balancer while keeping the existing IP up & running. This address will receive requests for a few days after you switch the DNS record to the balancer IP. After this traffic to existing IP disappears, you can remove this initial IP.

  • Dmytro Sirant EXPERT
    6 months ago

    As Didier said, if you are reaching your service by DNS name it's straight forward for zero-downtime migration. If you are using IP address directly, the only solution if you are using EIP for your public IP. In that case you can move it to the ELB.

1

Hi emman, any reason why you are using ec2 instance in the public subnet? What is your business scenario? As, according to best practice, also stated above Dmytro, you should have the ec2 instance in the private subnet and have it accessed through an ALB etc.

If you do not want any downtime, then you could create an AMI of your running ec2 instance and then start a new ec2 instance using this AMI in the private zone and then shift from public to private.

Salman Edhi
answered 6 months ago
1

You have to create a snapshot of the EC2 and restore snapshot in a private subnet.

There is no way to remove the Public IP or move subnets with existing EC2s.

profile picture
EXPERT
Gary Mclean
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content