Ensure AWS VPC subnets have automatic public IP assignment disabled

A VPC subnet is a part of the VPC, with its own rules for traffic. Subnets with automatic Public IP assignment can inadvertently expose the instances within this subnet to the internet. It is recommended to disable this feature for subnets.

Risk Level: Medium
Cloud Entity: VPC Subnet
CloudGuard Rule ID: D9.CFT.NET.02
Covered by Spectral: Yes
Category: Networking & Content Delivery


AWS_EC2_Subnet should not have MapPublicIpOnLaunch=true


From CFT
Set AWS::EC2::Subnet MapPublicIpOnLaunch property to be false


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html

VPC Subnet

After you create a VPC, you can add one or more subnets in each Availability Zone. A subnet is a range of IP addresses in your VPC. You can launch AWS resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single zone.

Compliance Frameworks

  • AWS CloudFormation ruleset