Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft or disruption.
Depending on the component, inbound access from the Internet can be enabled via:
Deciding to allow public access may happen for various reasons such as for quick maintenance, time saving, or by accident.
This decision increases the likelihood of attacks on the organization, such as:
This cloud resource:
There is a risk if you answered no to any of those questions.
Avoid publishing cloud services on the Internet unless they are intended to be publicly accessible, such as customer portals or e-commerce sites.
Use private networks (and associated private IP addresses) and VPC peering or other secure communication tunnels to communicate with other cloud components.
The goal is to prevent the component from intercepting traffic coming in via the public IP address. If the cloud resource does not support the absence of a public IP address, assign a public IP address to it, but do not create listeners for the public IP address.
DMS and EC2 instances have a public IP address assigned to them:
DMSInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
PubliclyAccessible: true # sensitive, by default it's also set to true
EC2Instance:
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: true # sensitive, by default it's also set to true
DeviceIndex: "0"
DMS and EC2 instances doesn’t have a public IP address:
DMSInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
PubliclyAccessible: false
EC2Instance:
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeviceIndex: "0"