Disable Public IP Association in ASG Launch Templates

Risk Level: High (not acceptable risk)

Ensure that the EC2 instances running within Auto Scaling Groups (ASGs) are not using public IP addresses in order to prevent Internet exposure.

This rule can help you work with the AWS Well-Architected Framework.

Security

Amazon EC2 instances launched within Auto Scaling Groups (ASGs) should not get public IP addresses to enhance security by reducing the attack surface. Instead, they should be placed in private VPC subnets and accessed through the associated load balancer. This setup ensures that incoming traffic is controlled and monitored while allowing instances to scale dynamically based on demand.

Audit

To determine if the EC2 instances running within your Auto Scaling Groups (ASG) have public IP addresses, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, choose View details in the launch template console, and select the launch template associated with your Auto Scaling Group.

07 Choose the Details tab, then select the Network Interfaces tab to view the configuration information available for the associated network interface.

08 Check the value available in the Auto-assign public IP column to determine if the resource is configured to assign public IPs at launch. If the value is set to Enabled, all the Amazon EC2 instances launched within the selected Auto Scaling Groups (ASG) get public IP addresses.

09 Repeat steps no. 4 – 8 for each Auto Scaling Group available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-web-production-asg  |
|  cc-internal-app-asg    |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the launch template (and the template version) associated with the Auto Scaling group (ASG) that you want to examine:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-web-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate'

04 The command output should return the requested ASG information:

[
	{
		"LaunchTemplateName": "cc-asg-launch-template",
		"Version": "2",
		"LaunchTemplateId": "lt-0abcd1234abcd1234"
	}
]

05 Run describe-launch-template-versions command (OSX/Linux/UNIX) to determine if the network interface defined for the selected launch template is configured to assign public IP addresses at launch:

aws ec2 describe-launch-template-versions
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --versions 2
  --query 'LaunchTemplateVersions[*].LaunchTemplateData[].NetworkInterfaces[].AssociatePublicIpAddress'

06 The command output should return the requested information (true for enabled, false for disabled):

[
	true
]

If the describe-launch-template-versions command output returns true, as shown in the output example above, the auto-assign public IP feature is enabled, therefore the Amazon EC2 instances launched within the selected Auto Scaling Groups (ASG) get public IP addresses.

07 Repeat steps no. 3 – 6 for each Auto Scaling Group available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To disable public IP association in the launch templates associated with your Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to configure.

05 Choose the Details tab to access the ASG resource configuration details.

06 In the Launch template section, choose Edit to modify the launch template configuration.

07 Under Version, choose Create a launch template version to create a new launch template version from the existing version.

08 In the Network settings section, choose Advanced network configuration, and select Disable for Auto-assign public IP.

09 Choose Create template version to save the new launch template version.

10 Navigate back to your Auto Scaling Group configuration page, use the Refresh button next to the Version dropdown list to load the new template version, and choose the launch template version created at the previous step. Choose Update to apply the configuration changes.

11 Repeat steps no. 4 – 10 for each ASG that you want to reconfigure, available within the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-launch-template-version command (OSX/Linux/UNIX) using the ID of the ASG launch template that you want to reconfigure as the identifier parameter, to create a new version for the selected launch template. The --source-version parameter value represents the version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify for --launch-template-data. To disable the public IP association, set the "AssociatePublicIpAddress" parameter to false:

aws ec2 create-launch-template-version
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --source-version 2
  --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":false}]}'

02 The command output should return the information available for the new launch template version:

{
	"LaunchTemplateVersion": {
		"LaunchTemplateId": "lt-0abcd1234abcd1234",
		"LaunchTemplateName": "cc-asg-launch-template",
		"VersionNumber": 3,
		"CreateTime": "2023-08-01T16:55:40+00:00",
		"CreatedBy": "arn:aws:sts::123456789012:assumed-role/ec2-manager/i-0abcd1234abcd1234",
		"DefaultVersion": false,
		"LaunchTemplateData": {
			"NetworkInterfaces": [
				{
					"AssociatePublicIpAddress": false
				}
			],
			"ImageId": "ami-0abcd1234abcd1234",
			"InstanceType": "t3.large"
		}
	}
}

03 Run update-auto-scaling-group command (OSX/Linux/UNIX) to apply the new launch template configuration to your Auto Scaling Group (ASG) in order to disable the auto-assign public IP feature (the command does not produce an output): IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations.

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-web-production-asg
  --launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=3

04 Repeat steps no. 1 – 3 for each ASG that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
describe-auto-scaling-groups
describe-launch-template-versions
create-launch-template-version
autoscaling/update-auto-scaling-group

Publication date Aug 31, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Disable Public IP Association in ASG Launch Templates

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related AutoScaling rules