AutoScaling LaunchConfiguration Assigns Public IP
autoscaling-launch-config-public-ip
What this rule checks
Detects AWS::AutoScaling::LaunchConfiguration with AssociatePublicIpAddress=true. Instances launched from this configuration get a public IP and are internet-reachable directly.
How to fix it
- 1Set AssociatePublicIpAddress to false on the LaunchConfiguration
- 2Place instances in private subnets behind an ALB / NLB
- 3Use a NAT Gateway / VPC endpoints for outbound traffic
- 4Migrate to AWS::EC2::LaunchTemplate (LaunchConfiguration is deprecated)
import { aws_ec2 as ec2, aws_autoscaling as autoscaling } from 'aws-cdk-lib';
const vpc = new ec2.Vpc(this, 'Vpc');
const lc = new autoscaling.CfnLaunchConfiguration(this, 'Lc', {
imageId: 'ami-0abcdef1234567890',
instanceType: 't3.micro',
associatePublicIpAddress: true,
});import { aws_ec2 as ec2, aws_autoscaling as autoscaling } from 'aws-cdk-lib';
const vpc = new ec2.Vpc(this, 'Vpc');
const asg = new autoscaling.AutoScalingGroup(this, 'Asg', {
vpc,
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux2023(),
associatePublicIpAddress: false,
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::AutoScaling::LaunchConfigurationIntentional? Suppress this finding
Sometimes a flag is deliberate β a genuinely public endpoint, say. You can dismiss autoscaling-launch-config-public-ip and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "autoscaling-launch-config-public-ip", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::autoscaling-launch-config-public-ip',
reason: 'Why this is intentional',
});Use the rule ID autoscaling-launch-config-public-ip shown above β not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app β free, no account, your code never leaves your machine.