Profile Applicability:

  • Level 1

Description:

Amazon EC2 Launch Templates allow you to define the configuration for launching instances in a consistent and reusable manner. These templates can specify various settings, including networking options. One important security setting is whether or not to assign public IP addresses to the EC2 instance's network interface. By default, EC2 instances launched in a public subnet may be assigned a public IP, making them accessible from the internet. For enhanced security, it is best practice to ensure that Launch Templates do not assign public IP addresses to EC2 instances unless explicitly required for a use case.

Rationale:

Assigning public IP addresses to EC2 instances exposes them directly to the internet, increasing the attack surface. Ensuring that Launch Templates do not assign public IPs by default helps mitigate unauthorized access and reduces the risk of security vulnerabilities. Private instances, which do not have public IPs, are less exposed to the internet and can be safely accessed through other methods such as NAT Gateway, Elastic Load Balancers (ELB), or VPN connections.

Impact:

Pros:

  • Reduces security risks by preventing direct internet access to EC2 instances.

  • Ensures instances are launched within private subnets unless a public IP is explicitly required.

  • Increases control over inbound and outbound traffic by using private IPs and NAT Gateway for internet access.

Cons:

  • Applications or services that require direct public internet access will need to use Elastic Load Balancers (ELB) or NAT Gateways for outbound communication.

Default Value:

By default, EC2 Launch Templates may allow the assignment of public IP addresses when instances are launched in public subnets. This setting must be manually disabled in the launch template to avoid automatic assignment of public IPs.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeLaunchTemplates

    • ec2:ModifyLaunchTemplate

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Basic understanding of EC2 Launch Templates, VPC Subnets, and Network Interface Configuration.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

       

  1. In the left-hand navigation panel, select Launch Templates under Instances.

             

  1. Select the desired Launch Template you want to inspect.

           

  1. In the Network Interfaces section, check if Assign public IP is set to Yes.

    • If Yes, this means public IPs will be assigned by default when an instance is launched using this template.

   

  • Change this setting to No to ensure that no public IPs are assigned automatically to EC2 instances launched from this template.

   

  1. Save the changes to ensure that public IPs are not assigned to network interfaces in future instances launched with this template.

Using AWS CLI:

To list all EC2 launch templates, use the following command:

aws ec2 describe-launch-templates --query 'LaunchTemplates[*].{ID:LaunchTemplateId,Name:LaunchTemplateName}' --output table

To inspect the settings of a specific launch template and check if public IPs are assigned, run

aws ec2 describe-launch-template-versions --launch-template-name <template-name> --query 'LaunchTemplateVersions[*].{Version:VersionNumber,NetworkInterfaces:NetworkInterfaces[*].AssociatePublicIpAddress}' --output table

  • If AssociatePublicIpAddress is set to true, public IPs are enabled.

To modify the launch template to prevent public IP assignment, use:

aws ec2 modify-launch-template --launch-template-name <template-name> --version <version> --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":false}]}'

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

   

  1. Under Instances, click Launch Templates.

         

  1. Select the Launch Template you want to configure.

   

  1. Under Network Interfaces, set Assign Public IP to No.

               

  1. Save the changes to ensure that future instances launched from this template will not have public IPs assigned.

Using AWS CLI:

To modify the launch template version to disable public IP assignment, run the following command:

aws ec2 modify-launch-template --launch-template-name <template-name> --version <version> --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":false}]}'

Verify the configuration by describing the launch template:

aws ec2 describe-launch-template-versions --launch-template-name <template-name> --query 'LaunchTemplateVersions[*].{Version:VersionNumber,NetworkInterfaces:NetworkInterfaces[*].AssociatePublicIpAddress}' --output table

Backout Plan:

If disabling public IP assignment causes issues (e.g., services requiring public internet access), follow these steps to revert the configuration:

Identify the affected EC2 instance and launch template.

Modify the launch template to re-enable public IP assignment:

aws ec2 modify-launch-template --launch-template-name <template-name> --version <version> --launch-template-data '{"NetworkInterfaces":[{"AssociatePublicIpAddress":true}]}'

Verify that the configuration has been reverted and the instances are accessible with public IPs as required.

Document the restoration actions for auditing and compliance purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.