Ensure that Lightsail Instances Are Not Publicly Accessible

Overview

This check verifies that your Amazon Lightsail instances do not have publicly accessible ports that expose them to the internet. Lightsail is a simplified compute service, but instances with open ports and public IP addresses can be reached by anyone worldwide.

Risk

When a Lightsail instance has publicly accessible ports, it creates security vulnerabilities:

• Unauthorized access: Attackers can attempt to connect to exposed services (SSH, RDP, databases)
• Data theft: Sensitive information may be accessed through exposed interfaces
• Brute-force attacks: Login services become targets for credential-stuffing attacks
• Denial of service: Public instances can be overwhelmed with malicious traffic
• Compliance violations: Many frameworks require private network access for sensitive workloads

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to modify Lightsail instances. If you plan to remove public access, ensure you have an alternative way to connect (VPN, bastion host, or Lightsail browser-based SSH).

AWS Console Method

1. Open the AWS Lightsail console
2. Click Instances in the left navigation
3. Select the instance you want to secure
4. Click the Networking tab
5. Under IPv4 Firewall, review the current rules
6. Remove or restrict rules that allow access from 0.0.0.0/0 (anywhere):
   • Click the X next to each rule you want to remove
   • Or click Edit to restrict the source IP to a specific address or range
7. Repeat for IPv6 Firewall if IPv6 rules are present
8. Click Save to apply changes

Important: Before removing SSH (port 22) or RDP (port 3389) access, ensure you have another way to connect to your instance, such as:

• Lightsail's browser-based SSH/RDP (available in the console)
• A VPN connection to your network
• A bastion host with restricted access

AWS CLI (optional)

View Current Port Configuration

First, check which ports are currently open on your instance:

aws lightsail get-instance-port-states \
    --instance-name my-instance \
    --region us-east-1

Remove All Public Ports

To close all publicly accessible ports (use with caution):

aws lightsail put-instance-public-ports \
    --instance-name my-instance \
    --port-infos '[]' \
    --region us-east-1

Warning: This removes ALL firewall rules. Your instance will not accept any inbound connections.

Restrict SSH to Specific IP

To allow SSH only from your IP address:

aws lightsail put-instance-public-ports \
    --instance-name my-instance \
    --port-infos '[{"fromPort":22,"toPort":22,"protocol":"tcp","cidrs":["203.0.113.50/32"]}]' \
    --region us-east-1

Replace 203.0.113.50/32 with your actual IP address.

Allow Multiple Restricted Ports

To configure multiple ports with restricted access:

aws lightsail put-instance-public-ports \
    --instance-name my-instance \
    --port-infos '[
        {"fromPort":22,"toPort":22,"protocol":"tcp","cidrs":["203.0.113.0/24"]},
        {"fromPort":443,"toPort":443,"protocol":"tcp","cidrs":["0.0.0.0/0"]}
    ]' \
    --region us-east-1

This example allows:

• SSH (port 22) only from the 203.0.113.0/24 network
• HTTPS (port 443) from anywhere (appropriate for web servers)

Alternative: Use a Static IP with VPN

For secure access without public exposure:

1. Set up a VPN: Use AWS Client VPN or a third-party VPN solution
2. Create a static IP: In Lightsail console, go to Networking > Create static IP
3. Attach to instance: Associate the static IP with your instance
4. Restrict firewall: Allow access only from your VPN's IP range
5. Connect via VPN: Always connect through VPN before accessing the instance

This approach keeps your instance accessible only through the encrypted VPN tunnel.

Alternative: Use Lightsail Browser-Based SSH

Lightsail provides browser-based SSH and RDP that does not require public ports:

1. Go to the Lightsail console
2. Click on your instance
3. Click Connect using SSH (or Connect using RDP for Windows)
4. A browser window opens with terminal access

This method uses AWS's internal network, so you can remove public SSH/RDP ports while retaining console access.

Verification

After making changes, verify the configuration:

1. Return to the instance's Networking tab in the Lightsail console
2. Confirm that no rules allow access from 0.0.0.0/0 (unless intentionally required, such as HTTPS for a web server)
3. Test that you can still access the instance through your allowed method

CLI Verification

Re-run the Prowler check:

prowler aws --checks lightsail_instance_public

Or verify port states directly:

aws lightsail get-instance-port-states \
    --instance-name my-instance \
    --region us-east-1

Review the output to confirm no ports have cidrs containing 0.0.0.0/0 (unless intentionally allowed).

Additional Resources

• Lightsail Instance Firewall Documentation
• Lightsail CLI Reference
• Connect to Your Instance Using Browser-Based SSH
• Prowler Check Documentation

Notes

• Web servers: If your instance hosts a public website, you may need to keep ports 80 (HTTP) and 443 (HTTPS) open to 0.0.0.0/0. This is acceptable, but administrative ports (SSH, RDP) should still be restricted.
• Stateless firewall: Lightsail firewalls are stateless for some protocols. Ensure you understand the behavior for your specific use case.
• IPv6: Remember to review both IPv4 and IPv6 firewall rules. Many checks focus on IPv4, but IPv6 rules can also expose your instance.
• Detaching public IP: If your instance does not need to be reachable from the internet at all, you can detach its public IP address entirely in the Networking tab.