Skip to content
Ask AI about this
Help improve this page

Lightsail instances should have IPv6 networking disabled if not in use

Every enabled network protocol expands the attack surface. Dualstack gives a Lightsail instance a publicly routable IPv6 address even when the workload never uses it, adding an ingress path that firewall rules and logging may not fully cover.

Many monitoring tools and WAF configurations still treat IPv6 as secondary. If your firewall rules have gaps on the IPv6 side, those gaps are real, and you won't catch them in IPv4-focused log analysis. Disabling IPv6 when it serves no operational purpose removes an entire address family from incident response scope and eliminates a class of access-control mistakes before they can happen.

Retrofit consideration

Changing ip_address_type from dualstack to ipv4 on a running Lightsail instance removes the IPv6 address immediately, which will break any clients or DNS records that depend on the AAAA record.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_lightsail_instance.

resource "aws_lightsail_instance" "this" {
  availability_zone = local.availability_zone
  blueprint_id      = "amazon_linux_2"
  bundle_id         = "nano_3_0"
  name              = "pofix-abc123"

  ip_address_type = "ipv4"
}

What this control checks

The control checks that aws_lightsail_instance has ip_address_type set to "ipv4". Omitting the argument or setting it to "dualstack" causes the instance to receive both IPv4 and IPv6 addresses, and the control fails. Set ip_address_type = "ipv4" on every aws_lightsail_instance resource to pass. There is no separate IPv6 toggle; ip_address_type is the only attribute that controls this.

Common pitfalls

  • Do not rely on implicit ip_address_type defaults

    Omitting ip_address_type from aws_lightsail_instance means Terraform defers to whatever the API or provider version defaults to, which may not be ipv4. Set it explicitly every time.

  • Static IP does not disable IPv6

    Attaching aws_lightsail_static_ip_attachment gives the instance a persistent IPv4 address but leaves ip_address_type unchanged. If dualstack was active before the attachment, the instance still has an IPv6 address.

  • Lightsail load balancers have separate IPv6 settings

    aws_lightsail_lb resources have their own IPv6 settings, independent of instance-level ip_address_type. Disabling IPv6 on the instance does nothing for the load balancer, so if your goal is to eliminate IPv6 entirely, review aws_lightsail_lb separately.

Audit evidence

Auditors will ask for an instance inventory showing ip_address_type for each resource in scope. aws lightsail get-instances returns each instance's ipAddressType field; every instance should read ipv4. Lightsail console screenshots of the Networking tab, confirming no IPv6 address is assigned, provide corroborating visual evidence.

If you have a custom AWS Config rule evaluating Lightsail IP address types, the per-instance compliance evaluation history gives a timestamped trail for periodic review.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: lightsail_instance_ipv6_networking_disabled

  • Powerpipe Control: aws_compliance.control.lightsail_instance_ipv6_networking_disabled

Last reviewed: 2026-03-09