Skip to main content

πŸ“ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟒

  • Contextual name: πŸ“ Auto Scaling Group behind ELB assigns public IP to instances 🟒
  • ID: /ce/ca/aws/autoscaling/group-config-public-ip-assignement
  • Located in: πŸ“ AWS Auto Scaling

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-843426501

Logic​

Description​

Open File

Description​

Ensure that Auto Scaling Group launch configuration is not configured to assign public IP addresses to EC2 instances launched behind a load balancer.

If you do not set Associate Public IP Address, the default is to use the auto-assign public IP settings of the subnets that your instances are launched into.

Rationale​

When an EC2 instance is launched with a public IP while also being registered behind an ELB, it may become directly addressable from the internet, potentially circumventing the centralized control point provided by the ELB. This undermines security postures such as centralized logging, access control policies, WAF protection, and TLS termination.

Audit​

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if the following conditions are met:

  • It is associated with a load balancer, and
  • Its AWS EC2 Launch Configuration (accessible via the Launch Configuration field) has the Associate Public IP Address checkbox set to true.

An Auto Scaling Group is marked as INAPPLICABLE in either of the following cases:

... see more

Remediation​

Open File

Remediation​

It is recommended to transition from Launch Configurations to Launch Templates rather than modifying the existing launch configuration. The migration process to launch templates is outlined in /ce/ca/aws/autoscaling/group-uses-launch-configuration.

If immediate migration is not feasible, you may choose to modify the current launch configuration as outlined below.

From Command Line​

Create a New Launch Configuration​

Launch configurations cannot be modified once created. To update the launch configuration for an Auto Scaling group, you must create a new launch configuration based on the existing one.

Optionally, you can retrieve the settings of the current launch configuration using the following command:

aws autoscaling describe-launch-configurations \
    --launch-configuration-names {{existing-launch-configuration-name}}

Once you have the configuration details, create a new launch configuration using the create-launch-configuration command. Set the --associate-public-ip-address parameter to true in the new configuration:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access71
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration27
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3548
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81136
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10633
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(20) Dynamic Isolation and Segregation (H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)17
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)48
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)48
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)636
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-21 Information Sharing (M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)729
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(3) Access Points (M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events85
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events91
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected68
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage42
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15419
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control9
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326073
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information89
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3439
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102229
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-21 Information Sharing23
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29333
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(3) Boundary Protection _ Access Points3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic8
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic16
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components17
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.4
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.4
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3437