How can you configure EC2 instances to build a stronger perimeter? By ensuring that EC2 instances are not directly connected to the Internet. You can deploy EC2 instances in two ways: on an internal network or assigning them a public IP address. For security purposes, you want to ensure that when possible, your EC2 instances live on an internal network and you do not allow direct Internet access to them. In this demo, AWS expert Mike Wise will teach you how to identify if an EC2 instance has been provisioned to an external network and if it is directly connected to the Internet. 

For a visual guide on how to identify if EC2 instances are directly connected to the Internet, watch the full demo.

Hello everyone! Welcome to today’s demo. Today, we’re going to talk about EC2 instance security. One of the cornerstone tenets of information security is going to be that of a strong perimeter. You want to limit the systems and services that have direct access to the Internet. There’s this idea of a demilitarized zone where you have an untrusted network and you have a trusted network; you only want to have specifically authorized systems that are going to be interfacing with that untrusted network. 

When it comes to EC2 instances, you can deploy EC2 instances in a couple of ways. You can deploy them on an internal network or you can assign them a direct public IP. This public IP will allow direct Internet access into the EC2 instance. When you’re architecting your network for security best practices, you want to make sure that you’re not giving those EC2 instances those public IPs and that those EC2 instances are living on an internal network. How can you identify if an EC2 instance that’s provisioned is on that external network and has the ability to be directly accessed from the Internet? You can do this through the EC2 Management Console. What we’re going to do today is walk through how you can identify if a particular EC2 instance has a public IP address that will allow direct Internet access to that instance. 

When you log in to your AWS Management Console, you’re going to click on the “EC2” tab under “Compute.” This will take you to the EC2 Management Console. Then you’re going to click on “Instances (running)” and, in this particular case, we have one running EC2 instance. You’re going to select the checkbox, and this is going to bring up the details for the instance. As you can see right here, it lists “Public IPv4 Address.” What this means is that this EC2 instance has a public address directly assigned to the instance. This means that it can be directly accessed from the Internet. There could potentially be things like security group rules or something else that’s preventing this EC2 instance from directly accessing the Internet, but it does have the ability to if the security group rules are appropriately configured. This provides an additional attack surface for this instance because it’s not behind something like a gateway. You can see here that it gives you the details of the IP address that’s going to be used to access it and that you can use to directly access the Internet. Best practices say not to put your EC2 instances on public IP addresses. Instead, have them on internal addresses, then use a gateway to proxy traffic into your environment. So, you would use something like an ALB to proxy web traffic into your environment. Also, AWS has released something called Systems Manager which means that you no longer have to have SSH access directly accessible from the Internet. You can go through Sessions Manager which allows you to access the instance through the AWS Management Console for administrative functions. The ending of this is that, when possible, you’re not assigning those public IP addresses to EC2 instances and that you’re restricting the attack surface to only the demilitarized zone or public gateways.