AWS resources that are launched into a VPC, such as EC2 or DMS instances, can have a private and public IP addresses. A public IP address allows
the corresponding instance to send and receive Internet traffic through the Internet Gateway and therefore exposing it to potential malicious traffic
like DDoS attacks.
Ask Yourself Whether
The instance launched in the VPC:
- doesn’t need to communicate with the Internet.
- is not a public service.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to avoid exposing instances on the Internet by assigning to them a public IP address, unless the instance is running a service
designed to be publicly accessible, such as customer portals or e-commerce websites. To communicate with instances in another VPC, consider using VPC peering.
Noncompliant Code Example
DMS and EC2 instances have a public IP address assigned to them:
PubliclyAccessible: true # sensitive, by default it's also set to true
- AssociatePublicIpAddress: true # sensitive, by default it's also set to true
DMS and EC2 instances doesn’t have a public IP address:
- AssociatePublicIpAddress: false