Ensure EC2 Backend Instances are Not Provisioned in Public Subnets


Amazon Elastic Compute Cloud (EC2) provides scalable computing capacity in the AWS cloud. Backend EC2 instances, which typically handle application logic, data processing, or storage tasks, should not be exposed directly to the internet for security reasons. Deploying such instances in public subnets increases their vulnerability to external threats. To ensure maximum security, backend EC2 instances should be deployed within private subnets of a Virtual Private Cloud (VPC).


1. Identify EC2 Instances in Public Subnets:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • In the navigation pane, choose Instances.
  • For each EC2 instance, review its VPC and associated subnets.
  • In the VPC Dashboard, under Subnets, verify if the associated subnets have a route pointing to an Internet Gateway (IGW). Subnets with such a route are public subnets.

2. Migrate EC2 Instances to Private Subnets:

If a backend EC2 instance is identified within a public subnet:

  • Create or identify a private subnet within your VPC.
  • Stop the EC2 instance.
  • Modify the EC2 instance's subnet association to the private subnet.
  • Start the EC2 instance.
AWS Management Console:
  • Within the EC2 Dashboard, select the identified EC2 instance.
  • Under Actions, navigate to Networking and then Change Subnet.
  • Select the desired private subnet and confirm the change.

3. Implement Network Security Measures:

  • Ensure the security group associated with the EC2 instance allows only necessary traffic, preferably from known and trusted IP addresses or CIDR blocks.
  • Use Network Access Control Lists (NACLs) at the subnet level as an additional layer of security to control inbound and outbound traffic.

4. Regular Monitoring:

  • Periodically review EC2 instances and their associated subnets to ensure none are exposed to the public.
  • Consider setting up alerts using Amazon CloudWatch or AWS Config to notify you if a backend EC2 instance is launched in a public subnet.


Backend EC2 instances should always be deployed in private subnets to ensure they are not directly accessible from the internet. Adhere to the principle of least privilege by granting only the necessary access. By regularly monitoring the environment and having alert mechanisms in place, you can ensure adherence to security best practices and maintain a secure AWS infrastructure.