Assigning public IP addresses expose your instances to public internet

• GG_ID: GG_IAC_0034
• Severity: HIGH
• Complexity: MEDIUM
• Categories: NETWORK
• Providers: AWS
• Potential data exposure: True
• Visible in logs: True
• User interaction required: False
• Privileges required: False

Description

A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances.

Associating a public IP address to these instances will expose them to the public internet. Note that if your instances are spawned in a public Virtual Private Cloud, a public IP address will be assigned to them even if you switch off the associate_public_ip_address_setting in the launch group configuration.

Impact

Having open ingress means anyone can try and connect to the asset.

• If credentials are required to establish a connection, it still leaves open the possibility to bruteforce the credentials, or perform Denial of Service attacks.
• If no credentials are required, or credentials have been acquired by an attacker, then the asset is fully compromised.

Remediation guidelines

• Modify the launch configuration to disable the public IP address association.
• Terminate and recreate the existing instances that were launched with this configuratio, so that the new parameters are taken into account.

External documentation

• AWS Autoscaling launch configurations
• Change the launch configuration for an Auto Scaling group
• AWS Launch configuration in Terraform