---
title: EC2 instance has public IP
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EC2 instance has public IP
---

# EC2 instance has public IP

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_instance_module.html)

### Description{% #description %}

EC2 instances and launch templates that automatically receive a public IPv4 address are exposed directly to the internet, increasing the attack surface and the risk of unauthorized access or exploitation.

For Ansible tasks, check the following module properties:

- For `amazon.aws.ec2_launch_template` / `ec2_launch_template`: `network_interfaces.associate_public_ip_address`
- For `amazon.aws.ec2_instance` / `ec2_instance`: `network.assign_public_ip`

Each property must be explicitly set to `false` (or `'no'`) or omitted. The rule flags resources where the property is truthy (for example, `true`, `yes`) because there is no safe default.

Secure examples:

```yaml
- name: Launch instance without public IP (ec2_instance)
  amazon.aws.ec2_instance:
    name: my-instance
    network:
      assign_public_ip: false

- name: Create launch template without public IP
  amazon.aws.ec2_launch_template:
    name: my-template
    network_interfaces:
      - device_index: 0
        associate_public_ip_address: false
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Launch instance without public IP
  amazon.aws.ec2_instance:
    name: my-instance
    key_name: mykey
    instance_type: t2.micro
    vpc_subnet_id: subnet-29e63245
    network:
      assign_public_ip: false
- name: Create an ec2 launch template
  amazon.aws.ec2_launch_template:
    name: my_template
    image_id: ami-04b762b4289fba92b
    key_name: my_ssh_key
    instance_type: t2.micro
- name: Create an ec2 launch template
  amazon.aws.ec2_launch_template:
    name: "my_template"
    image_id: "ami-04b762b4289fba92b"
    key_name: my_ssh_key
    instance_type: t2.micro
    network_interfaces:
      - interface_type: interface
        ipv6_addresses: []
        mac_address: '0 e: 0 e: 36: 60: 67: cf'
        network_interface_id: eni - 061 dee20eba3b445a
        owner_id: '721066863947'
        source_dest_check: true
        status: " in -use"
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: example
  amazon.aws.ec2_instance:
    name: my-instance
    key_name: mykey
    instance_type: t2.micro
    vpc_subnet_id: subnet-29e63245
    network:
      assign_public_ip: yes
- name: Create an ec2 launch template
  amazon.aws.ec2_launch_template:
    name: "my_template"
    image_id: "ami-04b762b4289fba92b"
    key_name: my_ssh_key
    instance_type: t2.micro
    network_interfaces:
      associate_public_ip_address: true
- name: start an instance with a public IP address
  amazon.aws.ec2_instance:
    name: "public-compute-instance"
    key_name: "prod-ssh-key"
    vpc_subnet_id: subnet-5ca1ab1e
    instance_type: c5.large
    security_group: default
    network:
      assign_public_ip: true
```