Profile Applicability
- Level 2
Description:
Amazon EC2 instances launched through an Auto Scaling Group (ASG) can be configured to automatically assign public IP addresses when they are launched, depending on the network settings and the launch configuration used by the Auto Scaling Group. By default, EC2 instances in a VPC are assigned private IP addresses, but you may want them to also have public IP addresses for internet-facing applications or services.
It is crucial to ensure that instances launched via Auto Scaling Group launch configurations have public IP addresses if they need direct internet access. This can be controlled through the Auto Scaling Group's network settings (specifically, the subnet settings and whether public IP assignment is enabled for instances in the subnet).
Rationale:
Assigning a public IP address is necessary for EC2 instances that require direct access to the internet, such as for web servers or applications that need to be externally accessible. It is important to verify the Auto Scaling Group launch configuration settings to ensure that the instances launched meet your application's network requirements, especially for internet-facing services.
Impact:
Pros:
Ensures that instances requiring internet access are correctly assigned public IP addresses, allowing them to communicate with external services and users.
Enables smoother configuration of applications that need to be publicly accessible.
Helps maintain proper network configurations, particularly for environments where EC2 instances are part of a public-facing service.
Cons:
Security risk if public IP addresses are assigned to instances that don’t need external access, as they can be exposed to the internet.
Additional costs may be incurred for public IP address allocation and data transfer costs if not managed properly.
Default Value:
By default, EC2 instances launched in private subnets are not assigned public IP addresses unless specified. If using a public subnet, the instances can be assigned public IPs based on the subnet's auto-assign public IP setting.
Pre-requisites:
AWS IAM permissions to describe and modify Auto Scaling Groups and launch configurations:
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
ec2:DescribeInstances
Understanding of Auto Scaling Group settings and subnet configurations used for instance launch.
Network settings (VPC/subnet configuration) for the Auto Scaling Group should be reviewed to determine whether instances should have public IPs.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EC2 and select Auto Scaling Groups from the left-hand menu.
Select the Auto Scaling Group associated with the Launch Configuration you want to check.
Under the Network settings, verify the subnet configuration for the Auto Scaling Group.
If the subnet is a public subnet, ensure that the auto-assign public IP setting is enabled in the subnet configuration.
If the subnet is private, instances will not be assigned public IPs unless specifically configured.
Check the Launch Configuration associated with the Auto Scaling Group and verify whether public IPs are explicitly enabled for the launch configuration.
If public IP assignment is not enabled, click Edit and modify the settings accordingly.
Using AWS CLI:
List all Auto Scaling Groups:
aws autoscaling describe-auto-scaling-groups
Retrieve the details of a specific Auto Scaling Group:
aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name <ASG_NAME>
In the output, check the NetworkConfiguration and Launch Configuration settings.
Check if the Public IP assignment is enabled in the Launch Configuration.
If public IP assignment is not enabled, modify the Auto Scaling Group to ensure that instances will have public IP addresses:
aws autoscaling update-auto-scaling-group --auto-scaling-group-name <ASG_NAME> --vpc-zone-identifier <VPC_SUBNET_ID>
Implementation Plan:
Using AWS Console:
Open the AWS Management Console and navigate to EC2 > Auto Scaling Groups.
Select the relevant Auto Scaling Group and check the subnet settings.
If the subnet is a private subnet, enable the Auto-assign Public IP option or configure the Launch Configuration to assign public IPs when needed.
Modify the Auto Scaling Group and Launch Configuration settings as required to enable public IP address assignment.
Using AWS CLI:
To modify the Auto Scaling Group to use a subnet that assigns public IP addresses, run:
aws autoscaling update-auto-scaling-group --auto-scaling-group-name <ASG_NAME> --vpc-zone-identifier <VPC_SUBNET_ID>
Ensure that the Launch Configuration is associated with the Auto Scaling Group and supports public IP assignment.
Backout Plan:
Using AWS Console:
If assigning public IP addresses causes issues, sign in to the AWS Management Console.
Navigate to EC2 > Auto Scaling Groups.
Select the Auto Scaling Group and modify the network settings to remove public IP assignment (e.g., switch to a private subnet or disable public IP assignment).
Save the changes and verify that the instances are no longer being assigned public IPs.
Using AWS CLI:
To disable public IP assignment for the Auto Scaling Group, update the VPC subnet settings:
aws autoscaling update-auto-scaling-group --auto-scaling-group-name <ASG_NAME> --vpc-zone-identifier <PRIVATE_VPC_SUBNET_ID>
Verify that public IP assignment has been disabled by checking the instance details:
aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name <ASG_NAME>
Reference:
CIS Controls:
