AWS resources that are launched into a VPC, such as EC2 or DMS instances, can have a private and public IP addresses. A public IP address allows the corresponding instance to send and receive Internet traffic through the Internet Gateway and therefore exposing it to potential malicious traffic like DDoS attacks.

Ask Yourself Whether

The instance launched in the VPC:

• doesn’t need to communicate with the Internet.
• is not a public service.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to avoid exposing instances on the Internet by assigning to them a public IP address, unless the instance is running a service designed to be publicly accessible, such as customer portals or e-commerce websites. To communicate with instances in another VPC, consider using VPC peering.

Noncompliant Code Example

DMS and EC2 instances have a public IP address assigned to them:

resource "aws_instance" "noncompliantec2" {
  associate_public_ip_address = true # Sensitive, by default it's also set to true
}

resource "aws_dms_replication_instance" "noncompliantdms" {
  publicly_accessible          = true # Sensitive, by default it's also set to true
}

Compliant Solution

DMS and EC2 instances doesn’t have a public IP address:

resource "aws_instance" "compliantec2" {
  associate_public_ip_address = false
}

resource "aws_dms_replication_instance" "compliantdms" {
  publicly_accessible          = false
}

See

• OWASP Top 10 2021 Category A1 - Broken Access Control
• AWS Documentation - Amazon EC2 instance IP addressing
• AWS Documentation - Public and private replication instances
• MITRE, CWE-284 - Improper Access Control
• OWASP Top 10 2017 Category A5 - Broken Access Control