Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft or disruption.
Cloud resources that are exposed to the public Internet are reachable by any user worldwide. Inbound access from the Internet can be enabled in several ways: a property that explicitly allows access to the public network, the assignment of a public IP address, or firewall rules that include public IP ranges.
Choosing to allow public access often happens for quick maintenance, time savings, or by accident. However, doing so significantly increases the attack surface of the resource and the organization that hosts it.
A cloud resource that is publicly reachable is a direct target for attackers anywhere on the Internet. The most likely consequences are data breaches, intrusions that can be used to permanently compromise the infrastructure, and exposure to various forms of malicious traffic such as DDoS attacks.
The following code configures a cloud resource so that it is reachable from the public Internet, exposing it to unsolicited inbound traffic.
AWSTemplateFormatVersion: 2010-09-09
Resources:
DMSInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
PubliclyAccessible: true # Noncompliant
EC2Instance:
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: true # Noncompliant
DeviceIndex: "0"
AWSTemplateFormatVersion: 2010-09-09
Resources:
DMSInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
PubliclyAccessible: false
EC2Instance:
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeviceIndex: "0"