Ensure that no backend EC2 instances are provisioned in public subnets in order to protect them from exposure to the Internet. In this context, backend instances are EC2 instances that do not require direct access to the public internet such as database, API or caching servers. As best practice, all EC2 instances that are not Internet-facing should run within a private subnet, behind a NAT gateway that allows downloading software updates and implementing security patches or accessing other AWS resources like SQS and SNS.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
By provisioning EC2 instances within a private subnet (logically isolated section of VPC) you will prevent these instances from receiving inbound traffic initiated by someone on the Internet, therefore have a stronger guarantee that no malicious requests can reach your backend instances.
Note: For this rule Cloud Conformity assumes that your EC2 instances are running within a VPC that has both public and private subnets.
To determine if your backend EC2 instances are running within AWS VPC public subnets, perform the following:
Remediation / Resolution
To move your backend EC2 instances from public subnets to private subnets, you must re-launch these instances within the right subnets. To implement the instance(s) migration, perform the following:
- AWS Documentation
- Amazon EC2 FAQs
- Scenario 2: VPC with Public and Private Subnets (NAT)
- Creating an Amazon EBS-Backed Linux AMI
- Launching an Instance
- Instance Lifecycle
- Terminate Your Instance
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
EC2 Instance Not In Public Subnet
Risk level: High