EC2 Instance Has Public IP
- Query id: 5a2486aa-facf-477d-a5c1-b010789459ce
- Query name: EC2 Instance Has Public IP
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 200
- URL: Github
Description¶
EC2 Instance should not have a public IP address.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "aws_ami" "ubuntu1" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web2" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_instance" "web3" {
ami = data.aws_ami.ubuntu.id
associate_public_ip_address = true
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
Positive test num. 2 - tf file
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = "subnet-eddcdzz4"
tags = {
Terraform = "true"
Environment = "dev"
}
}
Positive test num. 3 - tf file
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = "subnet-eddcdzz4"
associate_public_ip_address = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
associate_public_ip_address = false
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
Negative test num. 2 - tf file
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = "subnet-eddcdzz4"
associate_public_ip_address = false
tags = {
Terraform = "true"
Environment = "dev"
}
}
Negative test num. 3 - tf file
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 3.0"
name = "single-instance"
ami = "ami-ebd02392"
instance_type = "t2.micro"
key_name = "user1"
monitoring = true
vpc_security_group_ids = ["sg-12345678"]
subnet_id = "subnet-eddcdzz4"
network_interface {
network_interface_id = aws_network_interface.this.id
device_index = 0
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
resource "aws_network_interface" "this" {
subnet_id = var.private_subnet_id
security_groups = [aws_security_group.this.id]
}
resource "aws_security_group" "this" {
name = "example"
description = "Example Security Group"
}