EC2.25: A launch template assigns public IPs to new instances

What does AWS Security Hub EC2.25 check?

EC2.25 fails any launch template whose network-interface block sets AssociatePublicIpAddress=true (or assigns an explicit public IP). It is backed by the AWS Config rule ec2-launch-template-public-ip-disabled and re-evaluates on change.

Why does EC2.25 matter?

A launch template is a factory: every Auto Scaling event and every fleet scale-out stamps new instances from it, so one checkbox puts every instance the group spins up on the public internet — exposed the moment it boots, before patching or config management runs. It is rated High because the exposure scales with traffic and shrinks when you are not looking, making it nearly impossible to catch by spot-checking running instances.

How do I fix EC2.25?

1. Confirm the workload does not need instance-level public IPs — behind an ALB/NLB it almost never does, since the load balancer owns the public address.
2. Create a new launch template version with AssociatePublicIpAddress=false on every interface and promote it to default (versions are immutable, so no in-place edit).
3. Trigger an Auto Scaling instance refresh so running instances cycle out and drop their public IPs.
4. Add the Config rule ec2-launch-template-public-ip-disabled plus an SCP or IaC admission check so a public-by-default template cannot ship again.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'