Risk Level: Critical
Cloud Entity: Subnet
CloudGuard Rule ID: D9.AWS.NET.47
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

Subnet should not have mapPublicIpOnLaunch=true

REMEDIATION

From Portal

Log in to the AWS console and open Amazon VPC console https://console.aws.amazon.com/vpc/home.
In the console, select the specific region.
Navigate to the 'VPC' service.
In the navigation pane, click 'Subnets'.
Select the identified Subnet and click on Actions and Select the option 'Edit subnet settings.
Disable the 'Auto-Assign IP' option and save it.

From TF
To disable automatic public IP assignment:

resource "aws_subnet" "main_public_1" {
  + map_public_ip_on_launch = false
  - map_public_ip_on_launch = true
}

From Command Line
To disable public IP assignment on AWS VPC subnets, run:

aws ec2 modify-subnet-attribute --subnet-id SUBNET-ID --no-map-public-ip-on-launch

References

Subnet

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset