Auto Scaling group associated launch configuration does not assign a public IP address
autoscaling_group_launch_configuration_no_public_ip
Amazon EC2 Auto Scaling groups are evaluated to determine whether their associated launch configuration assigns public IP addresses to instances (e.g., AssociatePublicIpAddress=true).
Risk
Publicly addressable instances are reachable from the Internet, enabling reconnaissance, brute-force, and exploitation of exposed services.
Compromise can lead to remote access, data exfiltration, and lateral movement, impacting confidentiality, integrity, and availability.
prowler aws --checks autoscaling_group_launch_configuration_no_public_ip
Recommendation
Place instances in private subnets and disable public addressing (AssociatePublicIpAddress=false). Publish services via load balancers or private endpoints, enforce least privilege security groups, and use SSM, VPN, or a hardened bastion for admin access. Prefer launch templates to standardize network controls.
Remediation
# CloudFormation Launch Configuration without public IPs
Resources:
<example_resource_name>:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: <example_ami_id>
InstanceType: <example_instance_type>
AssociatePublicIpAddress: false # Critical: disables assigning public IPs to instances
# Launch Configuration without public IPs
resource "aws_launch_configuration" "<example_resource_name>" {
image_id = "<example_ami_id>"
instance_type = "<example_instance_type>"
associate_public_ip_address = false # Critical: disables assigning public IPs
}
- In the AWS console, go to EC2 > Auto Scaling > Launch configurations and click Create launch configuration
- Use the same AMI and instance type as the current group; under Advanced details set IP address type to Do not assign a public IP address
- Create the launch configuration
- Go to EC2 > Auto Scaling Groups, select your group, click Edit next to Launch configuration, choose the new configuration, and click Update
Source Code
Resource Type
AwsAutoScalingAutoScalingGroup