- Newest
- Most votes
- Most comments
This comes up frequently, especially with public sector customers. To the best of my knowledge, this is something that cannot be disabled (normally due to requirements to resolve DNS for failover, service-to-service integration, etc). It also affects other services such as internal load-balancers, which can be queried externally and return the VPC IP addresses that have been assigned to them.
The way I typically handle this conversation is to explain to customers that although the internal IP addresses will be returned, since these are not routable from outside of the VPC, there is little that an attacker can do, just from the knowledge of them. Also, the DNS records include a random string, and do not reference the customer account ID, and so there is little risk of account discovery from brute-forcing DNS resolution across this space.
Relevant content
- asked 2 months ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago