Recently I have run security assessment of my AWS resources using AWS Security Hub. As a result, under the AWS Foundational Security Best Practices v1.0.0 category, there is a failure that saying
EC2 instances should not have a public IPv4 address
If this instance without public IP, how to access this instance through internet?
I would like to great explanation about this security best practice that EC2 instances should not have a public IP address
On
EC2 instances should not have a public IPv4 address
That might be referring to an EC2 instance in a private subnet. For EC2 instances in a public subnet you will need an IP to receive web traffic.
As per the VPC FAQ:
For security, make sure the security group associated with the public EC2 instance only allows traffic on the required ports. Eg a webserver should only need to have an inbound rule (ingress) for say port 80. You do not need to define an outbound rule (egress) because the response to the inbound rule (ingress) will still be allowed.
Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
As per my preceding comment on one of the other answers - you can get away without allowing inbound traffic for the SSH port by using SSM (excluding the edge case I noted)
The answer doesn't change if you use a loadbalancer. I tried to provision an ASG (auto scaling group) in a public subnet and in Cloudformation specified that the implementation shouldn't associate public IP addresses with the EC2 instances. The ASG never got success signals from the EC2 instances and the Cloudformation deployment was rolled back.
On
I think you are facing this security issue because of the subnet configuration. Check if the subnet configuration has Auto Assign public IP enabled.
Public instance is placed in this subnet will by default receive a Public IP. This is what AWS mentions as a security issue.
You should manually enable Public IP each time a new EC2 instance is put into the subnet even if its a public subnet
Typically, only a Load Balancer is exposed to the Internet. It then forwards traffic to Amazon EC2 instances spread across multiple Availability Zones.
The Load Balancer can filter traffic and can route traffic to an appropriate destination based upon the requested path in the URL.
This way, nobody can access the EC2 instance (eg via RDP or SSH).
Administrators should be capable of accessing the VPC via an VPN or Direct Connect connection rather than going via the Internet.