Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to available cloud tools and services.
In AWS, a public subnet is a subnet which has access to an Internet Gateway (IGW) via its associated route table. Ignoring split routing tables that make use of both a Network Address Translator (NAT) and an IGW, any instance within a public subnet will require a public IP address to connect to internet addresses. Unlike systems with a NAT gateway attached, a public subnet directly exposes instances via a uniquely addressable IP address on the open internet. Running instances in public subnets forces servers to use public IP addresses for internet connectivity, which also makes these instances uniquely identifiable on the internet.
As such, running EC2 instances with a public IP address implicates all the security concerns included in AWS-EC2-1 - Instance With Public IP Address. Instances running in public subnets without a public IP address won’t be able to connect to the internet making the hosting of these instances in a public subnet redundant.
If the intention is to prevent these instances from being directly accessible over the internet, running them in a private subnet provides a better security posture. Private subnets remove the possibility of network access directly to and from the internet, thereby preventing the accidental or malicious provisioning of a public IP address and network access.
In public subnets, instances can be configured with a public IP address without stopping the instance. This allows them to be connected to directly, potentially compromised, and then disconnected without affecting the instance’s computation.
Running instances that should not have direct internet connectivity in a private subnet provides an additional layer of network security, ensuring they are not directly exposed to the internet and reducing the risk of unauthorised access.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Fixing this exposure depends on the current traffic usage of the instance and how critical that traffic is to business objectives. Whilst running instances in public subnets usually infers the usage of a public IP address, instances that do not use a public IP address are more likely to be migrated without incident.
For instances using a public IP address please refer to our documentation for test AWS-EC2-1.
As always when migrating instances serving active traffic, we recommend utilising experienced technicians to evaluate and deploy the best solution whilst minimising negative impacts. We regularly encounter this issue and have a large runbook of advice, guidance and tools that can be critical in achieving a safe migration. Contact our architecture services for more: