AutoScaling.5: A launch config gives ASG instances public IPs

What does AWS Security Hub AutoScaling.5 check?

AutoScaling.5 fails when a launch configuration has AssociatePublicIpAddress set to true. Every instance the group launches from it gets a public IP and becomes directly reachable from the internet.

Why does AutoScaling.5 matter?

Fleet instances belong in private subnets behind a load balancer, not on public IPs. A launch configuration that assigns public addresses puts every autoscaled instance directly on the internet, widening the attack surface to anything listening on those hosts. Years of copy-pasted configurations have carried this convenience default forward into fleets that never needed it.

How do I fix AutoScaling.5?

1. Find launch configurations with AssociatePublicIpAddress enabled.
2. Clone the bad launch configuration into a new one with the flag disabled, since launch configurations are immutable.
3. Point the Auto Scaling group at the new launch configuration.
4. Run an instance refresh so running instances are replaced with private ones, and place the group in private subnets.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'