Ensure that the EC2 instances running within Auto Scaling Groups (ASGs) are not using public IP addresses in order to prevent Internet exposure.
This rule can help you work with the AWS Well-Architected Framework.
Amazon EC2 instances launched within Auto Scaling Groups (ASGs) should not get public IP addresses to enhance security by reducing the attack surface. Instead, they should be placed in private VPC subnets and accessed through the associated load balancer. This setup ensures that incoming traffic is controlled and monitored while allowing instances to scale dynamically based on demand.
Audit
To determine if the EC2 instances running within your Auto Scaling Groups (ASG) have public IP addresses, perform the following actions:
Remediation / Resolution
To disable public IP association in the launch templates associated with your Auto Scaling Groups (ASGs), perform the following actions:
References
- AWS Documentation
- Auto Scaling groups
- Launch templates
- Examples for creating and managing launch templates with the AWS Command Line Interface (AWS CLI)
- AWS Command Line Interface (CLI) Documentation
- describe-auto-scaling-groups
- describe-launch-template-versions
- create-launch-template-version
- autoscaling/update-auto-scaling-group