Control: AWS EC2 launch templates should not assign public IPs to network interfaces
Description
This control checks if AWS EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ec2_launch_template_not_publicly_accessibleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ec2_launch_template_not_publicly_accessible --shareSQL
This control uses a named query:
with public_launch_templates as ( select i.tags ->> 'aws:ec2launchtemplate:id' as public_launch_template_id from aws_ec2_instance as i, jsonb_array_elements(launch_template_data -> 'NetworkInterfaces') as nic where (nic -> 'AssociatePublicIpAddress')::bool),launch_templates_associated_instance as ( select distinct tags ->> 'aws:ec2launchtemplate:id' as launch_template_id from aws_ec2_instance)select t.launch_template_id as resource, case when i.launch_template_id is null then 'skip' when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then 'alarm' else 'ok' end as status, case when i.launch_template_id is null then t.title || ' does not launch any instance.' when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then t.title || ' publicly accessible.' else t.title || ' not publicly accessible.' end as reason , t.region, t.account_idfrom aws_ec2_launch_template as t left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id;