Hi folks, studying for the AWS Security Specialty and have come across some unfounded assertion I want to better understand.
You use an IAM Policy to deny/block the adding of a public IP on an EC2 resource.
Source: A Cloud Guru’s Exam Simulator Question (flagged me as wrong for NOT selecting this as an option).
ACG Source Question
You are working on a strictly confidential project and your CISO has mandated you must make sure that none of the EC2 instances (used for your project) have a public IP address. You have been told you are responsible for enforcing this and project funding will be withdrawn if the team does not comply. How can you enforce this? (Choose 3)
[A] Run a manual check on each EC2 instance and remove any public IP
[B] Use Trusted Advisor to trigger a Lambda function to remove any public IP
[C] Use IAM policies to deny your administrators the ability to add a public IP address
[D] Use Athena to query CloudTrail logs and generate a report of any public IP addresses that have been created
[E] Use AWS Config to monitor for compliance
[F] Use CloudTrail to trigger a Lambda function to remove any public IP addresses
[G] Use CloudWatch Events to trigger a Lambda function to remove any public IP addresses
Looks like this is the relevant doc – https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html. I don’t see anything that could be used to control a public IP.
There’s an "AllocateAddress" action for assigning an Elastic IP, but that’s only one way to get a public IP. There’s an action for AssignPrivateIPAddresses, but no corresponding one for public IPs. I don’t see anything in the conditions that looks for a public IP. You could use conditions to only allow an EC2 to be created in a known private subnet, but that doesn’t seem to be a good answer.
It would be interesting to see how this is done. If it isn’t possible, AWS should definitely add it.