Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses

Description

This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group’s instances.

Amazon EC2 instances in an autoscaling group launch configuration should not have an associated public IP address, except for in limited edge cases. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet.

This control passes if the associated launch configuration is configured to assign a public IP address. This control fails if the associated launch configuration is not configured to assign a public IP address.

Remediation

An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you have create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration. Then, update the Auto Scaling group to use the new launch configuration as described in steps below.

After you change the launch configuration for an Auto Scaling group, any new instances are launched with the new configuration options. Existing instances are not affected. To update existing instances, either terminate them so that they are replaced by your Auto Scaling group, or allow automatic scaling to gradually replace older instances with newer instances based on your termination policies.

To enable Elastic Load Balancing health checks

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Auto Scaling, choose Launch Configurations.
  3. Select the launch configuration and choose Actions, then Copy launch configuration. This sets up a new launch configuration with the same options as the original, but with "Copy" added to the name.
  4. On the Create Launch Configuration page, expand Advanced details under Additional configuration - optional.
  5. Under IP address type, choose Do not assign a public IP address to any instances.
  6. When you have finished, Choose Create launch configuration.
  7. On the navigation pane, under Auto Scaling, choose Auto Scaling Groups.
  8. Select the check box next to the Auto Scaling group.
  9. A split pane opens up in the bottom part of the page, showing information about the group that's selected.
  10. On the Details tab, choose Launch configuration, Edit.
  11. For Launch configuration, select the new launch configuration.
  12. When you have finished changing your launch configuration, choose Update.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_autoscaling_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_autoscaling_5 --share

SQL

This control uses a named query:

select
  launch_configuration_arn as resource,
  case
    when associate_public_ip_address then 'alarm'
    else 'ok'
  end as status,
  case
    when associate_public_ip_address then title || ' public IP enabled.'
    else title || ' public IP disabled.'
  end as reason
  , region, account_id
from
  aws_ec2_launch_configuration;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = autoscaling_5
plugin = aws
service = AWS/AutoScaling