🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢

Contextual name: 🛡️ Auto Scaling Group behind ELB assigns public IP to instances🟢
ID: /ce/ca/aws/autoscaling/group-config-public-ip-assignement
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY, SECURITY

Logic

🧠 prod.logic.yaml🟢

Similar Policies

AWS Security Hub: [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses
Internal: dec-x-84342650

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-84342650	1

Description

Open File

Description

Ensure that Auto Scaling Group launch configurations are not configured to assign public IP addresses to EC2 instances launched behind a load balancer.

If you do not set Associate Public IP Address, the default is to use the auto-assign public IP settings of the subnets that your instances are launched into.

Rationale

When an EC2 instance is launched with a public IP while also being registered behind an ELB, it may become directly addressable from the internet, potentially bypassing the centralized control point provided by the ELB. This undermines security controls such as centralized logging, access control policies, WAF protection, and TLS termination.

Audit

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if the following conditions are met:

It is associated with a load balancer, and

Its AWS EC2 Launch Configuration (accessible via the Launch Configuration field) has the Associate Public IP Address checkbox set to true.

An Auto Scaling Group is marked as INAPPLICABLE in either of the following cases:

... see more

Remediation

Open File

Remediation

It is recommended to transition from Launch Configurations to Launch Templates rather than modifying the existing launch configuration. The migration process to launch templates is outlined in /ce/ca/aws/autoscaling/group-uses-launch-configuration.

If immediate migration is not feasible, you may choose to modify the current launch configuration as outlined below.

From Command Line

Create a New Launch Configuration

Launch configurations cannot be modified once created. To update the launch configuration for an Auto Scaling group, you must create a new launch configuration based on the existing one.

Optionally, you can retrieve the settings of the current launch configuration using the following command:
aws autoscaling describe-launch-configurations \
    --launch-configuration-names {{existing-launch-configuration-name}}
Once you have the configuration details, create a new launch configuration using the create-launch-configuration command. Set the --associate-public-ip-address parameter in the new configuration:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses		1	1	no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			116	no data
💼 Cloudaware Framework → 💼 System Configuration			69	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			15	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

From Command Line​

Create a New Launch Configuration​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

Remediation

Remediation

From Command Line

Create a New Launch Configuration

policy.yaml

Linked Framework Sections