Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · EC2

EC2.172: VPC Block Public Access is not enabled

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.172 check?

EC2.172 fails an account where VPC Block Public Access (BPA) is off (mode off) in a region that holds workloads. BPA is a per-region, account-level switch above every VPC that blocks Internet Gateway traffic regardless of route tables, NACLs, or security groups; the control assumes a deny-by-default posture with explicit exclusions.

Why does EC2.172 matter?

BPA is the network-layer equivalent of S3 Block Public Access — one coarse switch that overrides every per-VPC misconfiguration at once. In a regulated environment where most VPCs should never touch the public internet, leaving it off means a single bad route table or over-broad security group can expose a workload, with nothing above the VPC catching it.

How do I fix EC2.172?

  1. Inventory every IGW in the target region and trace which workloads depend on it using describe-internet-gateways and a week of flow logs.
  2. Enable block-ingress first to stop inbound internet connections while preserving outbound, then move to block-bidirectional once verified.
  3. Add per-VPC or per-subnet exclusions sparingly for the egress VPC and anything that legitimately needs an IGW, tagging each with an owner and justification.
  4. Layer an SCP denying ec2:ModifyVpcBlockPublicAccessOptions and ec2:DeleteVpcBlockPublicAccessExclusion so the control cannot be silently disabled.

Remediation script · bash

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'

Full walkthrough (console steps, edge cases and verification) in the lesson Block public access to AWS resources.

Is EC2.172 a false positive?

BPA does not cover VPC peering, Transit Gateway, or PrivateLink, and NAT Gateways still need an IGW to function — so fully blocking a NAT-using VPC kills internet for its private subnets too. The standard pattern is to centralise egress in one excluded VPC and route everything else through it.

Full lesson Block public access to AWS resources Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.172 →
Part of the learning path Trim your network spend

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances