Ensure AWS VPC subnets have automatic public IP assignment disabled

A VPC subnet is a part of the VPC, with its own rules for traffic. Subnets with automatic Public IP assignment can inadvertently expose the instances within this subnet to the internet. It is recommended to disable this feature for subnets.

Risk Level: Critical
Cloud Entity: Subnet
CloudGuard Rule ID: D9.AWS.NET.47
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

Subnet should not have mapPublicIpOnLaunch=true

REMEDIATION

From Portal

  1. Log in to the AWS console and open Amazon VPC console https://console.aws.amazon.com/vpc/home.
  2. In the console, select the specific region .
  3. Navigate to the 'VPC' service.
  4. In the navigation pane, click 'Subnets'.
  5. Select the identified Subnet and click on Actions and Select the option 'Edit subnet settings.
  6. Disable the 'Auto-Assign IP' option and save it.

From TF
To disable automatic public IP assignment :

resource "aws_subnet" "main_public_1" {
	+ map_public_ip_on_launch = false
	- map_public_ip_on_launch = true
}

From Command Line
To disable public IP assignment on AWS VPC subnets , run:

aws ec2 modify-subnet-attribute --subnet-id SUBNET-ID --no-map-public-ip-on-launch

References

  1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  2. https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html
  3. https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-subnet-attribute.html

Subnet

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset