An EC2 instance that utilising a public IP address directly connects the instance to the internet leading to a vastly diminished security posture compared to available architectures utilising Application Firewalls and Load Balancers.
The default and common setup for an EC2 Instance in AWS is to provision the isntance within a public subnet. A public subnet is a section of the network that has direct access to an internet gateway, allowing a publicly assigned IP address to route traffic directly to the virtual server without any translation of packets from public to private address space.
This setup presents four key issues:
A public IP address is a uniquely identifiable address on the internet, meaning any traffic directed to this IP should be delivered to a single, specific destination. Having this IP address resolve directly to a single server ties a unique public address on the internet to a single identifiable server granting persistence of identity over the time period that the IP address is assigned.
This allows any internet-connected device to persistently recognize and communicate with that machine directly. This also makes the machine easier to research and directly target, such as reverse DNS research that can identify an owning entity, sister organisations and further information based on the long lived IP address.
Additionally, long lived IP addresses can persist identity within logs including in TCP/IP network layer packets. TLS encryption does not encrypt IP addresses as part of network traffic, hence a persistent IP address will identify the communication endpoint should an IP address persistently resolve to a single entity.
As in other spheres of security, it is advisable to retain control of identifying characteristics. Having unique IP addresses over a long period of time can create a uniquely identifying characteristic that can persist outside of your control.
When a machine is accessed publicly, all network traffic is delivered directly to the server. This requires the server to manage all communications alongside some basic firewall functionality provided by cloud provider tooling such as AWS Security Groups which attach to the Network Interface.
Without the ability to segregate traffic management into dedicated tooling such as Web Application Firewalls or Load Balancers, complex attacks that imitate legitimate traffic become the server’s responsibility to defend against. In operational terms, any server directly exposed to the internet needs direct management by security professionals to replicate the functionality provided by these tools. This is a significant burden and in almost all cases results in reduced security.
Additionally, this security burden can conflict with the server’s primary function, which is to run specific business software. The server’s purpose is to serve the business, not to defend against attacks. Should a server be provisioned with security tooling it will have a maintenance and computational cost to run which will compete with the desired business software.
Another practical consideration is that whislt business software is inherently valuable, most business software is not built to the security standards of endpoint management software. The core goal of business software is to generate value, not to be entirely secure, so it should be expected that any business software is unsuitable for direct internet exposure.
We advise that traffic should be passed through dedicated endpoint software and infrastructure to allow server software to focus on uptime, maintenance, deployments, and maximising return on investment.
EC2 Instances are not long lived and require periodic maintenance or upgrades, necessitating full server replacements. When a server is tied to a unique IP address, alterations to the server also initiate alterations to the hosting or relevancy of the public IP address.
A better approach for both separating concerns and managing traffic is to disconnect the destination IP address from a single server and instead utilise endpoint infrastructure which can dynamically update and failover as part of routine maintenance. This nullifies the responsibility and actions for managing IP addresses directly
Network security is the frontline of defense — if a resource cannot be accessed, it eliminates its external attack surface. This concept forms a robust foundation, commonly used in highly secure physical networks, such as those in financial and military systems. The architectural pattern for this is known as air gapping, where a system cannot be connected to unless there is a physical presence to connect to it ensuring physical security as a layer to virtual security.
While air gapping isn’t possible in cloud environments, you can achieve a similar setup by removing the ability for your servers to be directly connected to from the internet. By eliminating direct connectivity, you can control, monitor, and gatekeep the specific routes and paths through which traffic reaches your servers.
This approach forces all traffic to go through controlled entry points, allowing you to better manage security by actively monitoring and reacting to potential threats.
The goal is to remove the machine from operating with a public IP address. Resolution therefore depends on the machine’s current operation.
If you’re a SkySiege customer you will have received remediation steps for common resolutions as part of your test report. If your situation requires further analysis then contact your signing engineer who will be happy to architect a bespoke solution for you. The name and contact details for your signing engineer will be on the last page of your report.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Fixing this exposure depends on the current traffic usage of the instance and how critical that traffic is to business objectives. Whilst IP addresses can be removed from instances, it is unlikely that the current subnet networking is suitable for secure communications. Therefore, as part of any detection, we would analyse the following:
We would not recommend major changes to business critical services without considering, evaluating and ideally testing the above concerns. Scenarios like this usually benefit from experienced technicians who can provide quick and thorough fixes. This is a common service that we provide and we’d be more than happy to help you navigate the best route to a more secure solution: