EC2 instances should not have a public IP association (IPv4)


Publicly accessible EC2 instances are reachable over the internet even if you have protections such as NACLs or security groups. If these protections are accidentally removed your instances may be vulnerable to attack.

Console Remediation Steps

  • Navigate to EC2.

  • In the left navigation under Network & Security, select Elastic IPs.

  • Select the Elastic IP address to disassociate, select Actions, and Disassociate Elastic IP address.

  • Click Disassociate.

CLI Remediation Steps

  • Remove the public IP association (IPv4):

    • disassociate-address

    • --public-ip <value>