Skip to main content

πŸ“ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟒

  • Contextual name: πŸ“ Auto Scaling Group behind ELB assigns public IP to instances 🟒
  • ID: /ce/ca/aws/autoscaling/group-config-public-ip-assignement
  • Located in: πŸ“ AWS Auto Scaling

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-843426501

Logic​

Description​

Open File

Description​

Ensure that Auto Scaling Group launch configuration is not configured to assign public IP addresses to EC2 instances launched behind a load balancer.

If you do not set Associate Public IP Address, the default is to use the auto-assign public IP settings of the subnets that your instances are launched into.

Rationale​

When an EC2 instance is launched with a public IP while also being registered behind an ELB, it may become directly addressable from the internet, potentially circumventing the centralized control point provided by the ELB. This undermines security postures such as centralized logging, access control policies, WAF protection, and TLS termination.

Audit​

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if the following conditions are met:

  • It is associated with a load balancer, and
  • Its AWS EC2 Launch Configuration (accessible via the Launch Configuration field) has the Associate Public IP Address checkbox set to true.

An Auto Scaling Group is marked as INAPPLICABLE in either of the following cases:

... see more

Remediation​

Open File

Remediation​

It is recommended to transition from Launch Configurations to Launch Templates rather than modifying the existing launch configuration. The migration process to launch templates is outlined in /ce/ca/aws/autoscaling/group-uses-launch-configuration.

If immediate migration is not feasible, you may choose to modify the current launch configuration as outlined below.

From Command Line​

Create a New Launch Configuration​

Launch configurations cannot be modified once created. To update the launch configuration for an Auto Scaling group, you must create a new launch configuration based on the existing one.

Optionally, you can retrieve the settings of the current launch configuration using the following command:

aws autoscaling describe-launch-configurations \
    --launch-configuration-names {{existing-launch-configuration-name}}

Once you have the configuration details, create a new launch configuration using the create-launch-configuration command. Set the --associate-public-ip-address parameter to true in the new configuration:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access77
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration30
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23675
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1142
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81153
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)5
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10845
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)5
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(20) Dynamic Isolation and Segregation (H)5
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)19
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)30
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)160
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)42
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)653
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)739
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15534
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326885
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3742
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102346
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-21 Information Sharing25
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29447
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(3) Boundary Protection _ Access Points5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services25
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic12
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic19
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.5
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.5
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.5
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638