Skip to main content

lacework-global-395

Amazon Elastic Compute Cloud (EC2) launch templates should not assign public IPs to network interfaces (Manual)

Description

A public IP address is one that is reachable from the internet. If you configure your network interfaces with a public IP address, then the resources associated with those network interfaces may be reachable from the internet.

EC2 resources should not be publicly accessible because this may permit unintended access to your workloads.

Remediation

From the AWS console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2.
  4. In the left pane, under Instances, click Launch Templates.
  5. Select the template of interest, and click Actions > Modify template (Create new version).
  6. Under Network settings, expand the Advanced network configuration section.
  7. For each network interface, set Auto-assign public IP to Disable.
  8. Configure the remaining settings as required, and click Create template version.

From CLI:

aws ec2 create-launch-template-version --launch-template-id <launch_template_id> --source_version <current_version_plus_1> --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":false}]}'

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-25
https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html#change-network-interface

Last updated on