This rule states that EC2 subnets should not automatically assign public IP addresses, ensuring better security.
Rule | EC2 subnets should not automatically assign public IP addresses |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
Rule Description
The rule "EC2 subnets should not automatically assign public IP addresses" is one of the AWS Foundational Security Best Practices. This rule ensures that EC2 instances within a subnet do not receive a public IP address automatically when they are launched. Public IP addresses can increase the attack surface and expose instances directly to the internet, potentially increasing the risk of unauthorized access.
By disabling automatic public IP assignment, instances within the subnet will only have private IP addresses. If there is a need for instances to communicate with the internet, an Elastic IP (EIP) can be manually assigned.
Remediation Steps
Troubleshooting
If instances within a subnet are automatically assigned public IP addresses, there may be a misconfiguration that needs to be addressed. Follow the troubleshooting steps below:
Verify the VPC configuration:
Review the subnet configuration:
Check the instance launch settings:
Remediation Steps
To disable automatic public IP assignment for an EC2 subnet, follow these steps:
Sign in to the AWS Management Console.
Open the Amazon VPC console.
In the navigation pane, select "Subnets" and choose the relevant subnet.
Select the "Actions" dropdown, click "Modify auto-assign IP settings".
Deselect the checkbox for "Auto-assign IPv4" and click "Save".
CLI Command
The following AWS CLI command can be used to disable automatic public IP assignment for a specific subnet:
aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-assign-ipv6-address-on-creation
Replace
<subnet-id>
with the actual ID of the subnet where you want to disable automatic public IP assignment.Conclusion
Disabling automatic public IP assignment for EC2 subnets aligns with AWS Foundational Security Best Practices, helping to reduce the exposure of instances to the public internet. By following the provided remediation steps and executing the necessary CLI command, you can enforce a more secure network configuration.