EC2 Public Instance Exposed Through Subnet

  • Query id: c44c95fc-ae92-4bb8-bdf8-bb9bc412004a
  • Query name: EC2 Public Instance Exposed Through Subnet
  • Platform: CloudFormation
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  myVPC_1:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: false
      EnableDnsHostnames: false
      InstanceTenancy: dedicated
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref myVPC_1
  myRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref myVPC_1
  myRoute:
      Type: AWS::EC2::Route
      DependsOn: VPCGatewayAttachment
      Properties:
        RouteTableId: !Ref myRouteTable
        DestinationCidrBlock: 0.0.0.0/0
        DestinationIpv6CidrBlock: ::/0
        GatewayId: !Ref InternetGateway
  mySubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref myVPC_1
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
  mySubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref mySubnet
      RouteTableId: !Ref myRouteTable
  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0ff8a91507f77f867
      KeyName: !Ref Keyname
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: "0"
          SubnetId: !Ref mySubnet
Positive test num. 2 - json file
{
  "Resources": {
    "mySubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "VpcId": "myVPC_1",
        "CidrBlock": "10.0.0.0/24"
      }
    },
    "mySubnetRouteTableAssociation": {
      "Properties": {
        "SubnetId": "mySubnet",
        "RouteTableId": "myRouteTable"
      },
      "Type": "AWS::EC2::SubnetRouteTableAssociation"
    },
    "Ec2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-0ff8a91507f77f867",
        "KeyName": "Keyname",
        "NetworkInterfaces": [
          {
            "SubnetId": "mySubnet",
            "AssociatePublicIpAddress": true,
            "DeviceIndex": "0"
          }
        ]
      }
    },
    "myVPC_1": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    },
    "InternetGateway": {
      "Type": "AWS::EC2::InternetGateway"
    },
    "VPCGatewayAttachment": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "InternetGatewayId": "InternetGateway",
        "VpcId": "myVPC_1"
      }
    },
    "myRouteTable": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": "myVPC_1"
      }
    },
    "myRoute": {
      "Type": "AWS::EC2::Route",
      "DependsOn": "VPCGatewayAttachment",
      "Properties": {
        "RouteTableId": "myRouteTable",
        "DestinationCidrBlock": "0.0.0.0/0",
        "DestinationIpv6CidrBlock": "::/0",
        "GatewayId": "InternetGateway"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  myVPC_1:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: false
      EnableDnsHostnames: false
      InstanceTenancy: dedicated
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref myVPC_1
  myRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref myVPC_1
  myRoute:
      Type: AWS::EC2::Route
      DependsOn: VPCGatewayAttachment
      Properties:
        RouteTableId: !Ref myRouteTable
        DestinationCidrBlock: 0.0.0.0/0
        DestinationIpv6CidrBlock: ::/0
        GatewayId: !Ref InternetGateway
  mySubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref myVPC_1
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
  mySubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref mySubnet
      RouteTableId: !Ref myRouteTable
  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0ff8a91507f77f867
      KeyName: !Ref Keyname
      NetworkInterfaces:
        - AssociatePublicIpAddress: false
          DeviceIndex: "0"
          SubnetId: !Ref mySubnet
Negative test num. 2 - yaml file
Resources:
  myVPC_3:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: false
      EnableDnsHostnames: false
      InstanceTenancy: dedicated
  InternetGateway_2:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment_2:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway_2
      VpcId: !Ref myVPC_3
  myRouteTable_2:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref myVPC_3
  mySubnet_2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref myVPC_3
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
  mySubnetRouteTableAssociation_2:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref mySubnet_2
      RouteTableId: !Ref myRouteTable_2
  Ec2Instance_2:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0ff8a91507f77f867
      KeyName: !Ref Keyname
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: "0"
          SubnetId: !Ref mySubnet_2
Negative test num. 3 - json file
{
  "Resources": {
    "mySubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": "myVPC_1",
        "CidrBlock": "10.0.0.0/24",
        "AvailabilityZone": "us-east-1a"
      }
    },
    "mySubnetRouteTableAssociation": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "RouteTableId": "myRouteTable",
        "SubnetId": "mySubnet"
      }
    },
    "Ec2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-0ff8a91507f77f867",
        "KeyName": "Keyname",
        "NetworkInterfaces": [
          {
            "DeviceIndex": "0",
            "SubnetId": "mySubnet",
            "AssociatePublicIpAddress": false
          }
        ]
      }
    },
    "myVPC_1": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "dedicated"
      }
    },
    "InternetGateway": {
      "Type": "AWS::EC2::InternetGateway"
    },
    "VPCGatewayAttachment": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "InternetGatewayId": "InternetGateway",
        "VpcId": "myVPC_1"
      }
    },
    "myRouteTable": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": "myVPC_1"
      }
    },
    "myRoute": {
      "Type": "AWS::EC2::Route",
      "DependsOn": "VPCGatewayAttachment",
      "Properties": {
        "GatewayId": "InternetGateway",
        "RouteTableId": "myRouteTable",
        "DestinationCidrBlock": "0.0.0.0/0",
        "DestinationIpv6CidrBlock": "::/0"
      }
    }
  }
}

Negative test num. 4 - json file
{
  "Resources": {
    "myVPC_3": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    },
    "InternetGateway_2": {
      "Type": "AWS::EC2::InternetGateway"
    },
    "VPCGatewayAttachment_2": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": "myVPC_3",
        "InternetGatewayId": "InternetGateway_2"
      }
    },
    "myRouteTable_2": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": "myVPC_3"
      }
    },
    "mySubnet_2": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": "myVPC_3",
        "CidrBlock": "10.0.0.0/24",
        "AvailabilityZone": "us-east-1a"
      }
    },
    "mySubnetRouteTableAssociation_2": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": "mySubnet_2",
        "RouteTableId": "myRouteTable_2"
      }
    },
    "Ec2Instance_2": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "NetworkInterfaces": [
          {
            "AssociatePublicIpAddress": true,
            "DeviceIndex": "0",
            "SubnetId": "mySubnet_2"
          }
        ],
        "ImageId": "ami-0ff8a91507f77f867",
        "KeyName": "Keyname"
      }
    }
  }
}