Certified Security - Specialty

Sign Up Free or Log In to participate!

Can an IAM Policy deny ability to add a public IP to an EC2 resource?

Hi folks, studying for the AWS Security Specialty and have come across some unfounded assertion I want to better understand.

You use an IAM Policy to deny/block the adding of a public IP on an EC2 resource.

Source: A Cloud Guru’s Exam Simulator Question (flagged me as wrong for NOT selecting this as an option).


ACG Source Question

You are working on a strictly confidential project and your CISO has mandated you must make sure that none of the EC2 instances (used for your project) have a public IP address. You have been told you are responsible for enforcing this and project funding will be withdrawn if the team does not comply. How can you enforce this? (Choose 3)


[A] Run a manual check on each EC2 instance and remove any public IP

[B] Use Trusted Advisor to trigger a Lambda function to remove any public IP

[C] Use IAM policies to deny your administrators the ability to add a public IP address

[D] Use Athena to query CloudTrail logs and generate a report of any public IP addresses that have been created

[E] Use AWS Config to monitor for compliance

[F] Use CloudTrail to trigger a Lambda function to remove any public IP addresses

[G] Use CloudWatch Events to trigger a Lambda function to remove any public IP addresses

1 Answers

Looks like this is the relevant doc – https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html. I don’t see anything that could be used to control a public IP.

There’s an "AllocateAddress" action for assigning an Elastic IP, but that’s only one way to get a public IP. There’s an action for AssignPrivateIPAddresses, but no corresponding one for public IPs. I don’t see anything in the conditions that looks for a public IP. You could use conditions to only allow an EC2 to be created in a known private subnet, but that doesn’t seem to be a good answer.

It would be interesting to see how this is done. If it isn’t possible, AWS should definitely add it.

Thomas Gregory

Thanks Brian, I’m with your analysis on this. I believe the Exam simulator is therefore incorrect in stating this is a correct answer.

GD Guanglei Dai

What if one uses ec2:AssociatePublicIpAddress Filters access by whether the user wants to associate a public IP address with the instance Bool, if such condition is true, deny createInstance

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?