Detection: EC2 Instance Launched with Public IP Address
Overview
Detect when an EC2 instance was launched with a public IP address. Instances with public IP addresses are accessible over the internet, increasing the risk of unauthorized access, brute force attacks, or exposure to other security threats. Monitoring these events helps ensure that public IP addresses are assigned only when necessary and align with security best practices.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.ec2_instance_launched_with_public_ipSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.ec2_instance_launched_with_public_ip --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,response_elements -> 'instancesSet' -> 'items' -> 0 ->> 'instanceId' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'ec2.amazonaws.com' and event_name = 'RunInstances' and json_contains( (request_parameters -> 'networkInterfaces' -> 'items'), '{"associatePublicIpAddress": true}' ) and error_code is null
order by tp_timestamp desc;