Skip to main content

lacework-global-385

Amazon Elastic Compute Cloud (EC2) instances launched using Auto Scaling group launch configurations should not have Public IP addresses (Automated)

Description

Amazon EC2 instances in an Auto Scaling group launch configuration should not have an associated public IP address. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2.
  4. Under Auto Scaling, choose Auto Scaling Groups.
  5. Select the checkbox next to the applicable Auto Scaling group.
  6. In the Details tab, choose Launch configuration > Edit:
  7. Under Additional configuration, for Advanced details > IP address type choose Do not assign a public IP address to any instances.
  8. Click Update.

From CLI:

Create a new template version with the IP address association set to false:

aws ec2 create-launch-template-version --region <region> --launch-template-id <template_id> --source-version <current_version_number> --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":false}]}'

Then run the update command below to apply the new template:

aws autoscaling update-auto-scaling-group --region <region> --auto-scaling-group-name <group_name> --launch-template LaunchTemplateId=<template_id>, Version=<updated_version_number>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5
https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html
https://docs.aws.amazon.com/autoscaling/ec2/userguide/update-auto-scaling-group.html#update-auto-scaling-instances

Last updated on