Amazon EC2 instances should not have a public IPv4 address

Description

This validation examines whether EC2 instances possess a public IP address and are publicly accessible.

A public IPv4 address is reachable from the internet, while a private IPv4 address is not accessible from the internet. Private IPv4 addresses can be utilized for communication within the same VPC or connected private network.

IPv6 addresses are globally unique and reachable from the internet, although by default, subnets have the IPv6 addressing attribute set to false. For further details on IPv6, refer to IP addressing in your VPC in the Amazon VPC User Guide.

If public accessibility for an EC2 instance is intentional, you have the option to suppress the findings from this validation.

Remediation

Utilize a custom VPC setup to prevent automatic assignment of public IP addresses to your instances.

When launching an EC2 instance in the default VPC, it is automatically assigned a public IP address. However, instances launched in a non-default VPC have their public IP address assignment determined by the subnet configuration. The subnet’s settings dictate whether new EC2 instances within it receive a public IP address from the public IPv4 address pool.

It is not possible to manually attach or detach a public IP address that is automatically assigned to your EC2 instance. To manage the public IP address assignment for your EC2 instance:

For further guidance on public IPv4 addresses and external DNS hostnames, consult the Amazon EC2 User Guide for Linux Instances.

If your EC2 instance is associated with an Elastic IP address, it is reachable from the internet.

PREVIEWING: may/unit-testing