EC2 Public Instance Exposed Through Subnet
- Query id: c44c95fc-ae92-4bb8-bdf8-bb9bc412004a
- Query name: EC2 Public Instance Exposed Through Subnet
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
myVPC_1:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: dedicated
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref myVPC_1
myRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref myVPC_1
myRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref myRouteTable
DestinationCidrBlock: 0.0.0.0/0
DestinationIpv6CidrBlock: ::/0
GatewayId: !Ref InternetGateway
mySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref myVPC_1
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref mySubnet
RouteTableId: !Ref myRouteTable
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ff8a91507f77f867
KeyName: !Ref Keyname
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: "0"
SubnetId: !Ref mySubnet
Positive test num. 2 - json file
{
"Resources": {
"mySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": "us-east-1a",
"VpcId": "myVPC_1",
"CidrBlock": "10.0.0.0/24"
}
},
"mySubnetRouteTableAssociation": {
"Properties": {
"SubnetId": "mySubnet",
"RouteTableId": "myRouteTable"
},
"Type": "AWS::EC2::SubnetRouteTableAssociation"
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"KeyName": "Keyname",
"NetworkInterfaces": [
{
"SubnetId": "mySubnet",
"AssociatePublicIpAddress": true,
"DeviceIndex": "0"
}
]
}
},
"myVPC_1": {
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "dedicated"
},
"Type": "AWS::EC2::VPC"
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": "InternetGateway",
"VpcId": "myVPC_1"
}
},
"myRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": "myVPC_1"
}
},
"myRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "VPCGatewayAttachment",
"Properties": {
"RouteTableId": "myRouteTable",
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": "::/0",
"GatewayId": "InternetGateway"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
myVPC_1:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: dedicated
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref myVPC_1
myRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref myVPC_1
myRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref myRouteTable
DestinationCidrBlock: 0.0.0.0/0
DestinationIpv6CidrBlock: ::/0
GatewayId: !Ref InternetGateway
mySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref myVPC_1
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref mySubnet
RouteTableId: !Ref myRouteTable
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ff8a91507f77f867
KeyName: !Ref Keyname
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeviceIndex: "0"
SubnetId: !Ref mySubnet
Negative test num. 2 - yaml file
Resources:
myVPC_3:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: dedicated
InternetGateway_2:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment_2:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway_2
VpcId: !Ref myVPC_3
myRouteTable_2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref myVPC_3
mySubnet_2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref myVPC_3
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
mySubnetRouteTableAssociation_2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref mySubnet_2
RouteTableId: !Ref myRouteTable_2
Ec2Instance_2:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ff8a91507f77f867
KeyName: !Ref Keyname
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: "0"
SubnetId: !Ref mySubnet_2
Negative test num. 3 - json file
{
"Resources": {
"mySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": "myVPC_1",
"CidrBlock": "10.0.0.0/24",
"AvailabilityZone": "us-east-1a"
}
},
"mySubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": "myRouteTable",
"SubnetId": "mySubnet"
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"KeyName": "Keyname",
"NetworkInterfaces": [
{
"DeviceIndex": "0",
"SubnetId": "mySubnet",
"AssociatePublicIpAddress": false
}
]
}
},
"myVPC_1": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "dedicated"
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": "InternetGateway",
"VpcId": "myVPC_1"
}
},
"myRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": "myVPC_1"
}
},
"myRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "VPCGatewayAttachment",
"Properties": {
"GatewayId": "InternetGateway",
"RouteTableId": "myRouteTable",
"DestinationCidrBlock": "0.0.0.0/0",
"DestinationIpv6CidrBlock": "::/0"
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"myVPC_3": {
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "dedicated"
},
"Type": "AWS::EC2::VPC"
},
"InternetGateway_2": {
"Type": "AWS::EC2::InternetGateway"
},
"VPCGatewayAttachment_2": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": "myVPC_3",
"InternetGatewayId": "InternetGateway_2"
}
},
"myRouteTable_2": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": "myVPC_3"
}
},
"mySubnet_2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": "myVPC_3",
"CidrBlock": "10.0.0.0/24",
"AvailabilityZone": "us-east-1a"
}
},
"mySubnetRouteTableAssociation_2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": "mySubnet_2",
"RouteTableId": "myRouteTable_2"
}
},
"Ec2Instance_2": {
"Type": "AWS::EC2::Instance",
"Properties": {
"NetworkInterfaces": [
{
"AssociatePublicIpAddress": true,
"DeviceIndex": "0",
"SubnetId": "mySubnet_2"
}
],
"ImageId": "ami-0ff8a91507f77f867",
"KeyName": "Keyname"
}
}
}
}