v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 25 Amazon EC2 launch templates should not assign public IPs to network interfaces

Description

This control checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address.

A public IP address is one that is reachable from the internet. If you configure your network interfaces with a public IP address, then the resources associated with those network interfaces may be reachable from the internet. EC2 resources shouldn't be publicly accessible because this may permit unintended access to your workloads.

Remediation

To update an EC2 launch template, see Change the default network interface settings in the Amazon EC2 Auto Scaling User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_25

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_25 --share

SQL

This control uses a named query:

ec2_launch_template_not_publicly_accessible

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resources_not_publicly_accessible
foundational_security_item_id = ec2_25
plugin = aws
service = AWS/EC2