Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Subnet Auto Assign Public IP Should Be Disabled

Ensure VPC subnets have public IP auto-assign disabled for enhanced security.

RuleVPC subnet auto assign public IP should be disabled
FrameworkCISA-cyber-essentials
Severity
Medium

Rule Description: VPC Subnet Auto Assign Public IP Disabled

This rule sets the requirement for disabling the automatic assignment of public IP addresses to subnets within an Amazon Virtual Private Cloud (VPC) as part of the CISA Cyber Essentials framework. By disabling auto-assign public IP addresses, it ensures that resources within the VPC do not receive public IP addresses by default, reducing the potential attack surface from the internet.

Troubleshooting Steps:

If public IP assignment is enabled for VPC subnets, it may result in resources being exposed directly to the internet, making them vulnerable to unauthorized access or malicious activities. Troubleshooting steps to verify and remediate this issue are as follows:

  1. 1.
    Check if the VPC's subnet auto-assign public IP attribute is enabled/disabled.
  2. 2.
    Identify the subnets that have public IP auto-assignment enabled.
  3. 3.
    Determine if any resources within these subnets require public IPs and if alternative solutions can be implemented, such as using NAT gateways or assigning Elastic IPs (EIPs) manually.
  4. 4.
    Disable the auto-assign public IP attribute for the affected subnets.

Remediation Steps:

To remediate the issue and disable auto-assign public IP for VPC subnets, follow these step-by-step instructions:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Open the Amazon VPC service.
  3. 3.
    In the navigation pane, click on "Subnets".
  4. 4.
    Select the subnet that needs to have auto-assign public IP disabled.
  5. 5.
    In the bottom panel, click on the "Actions" button and select "Modify auto-assign IP settings."
  6. 6.
    Uncheck the "Auto-assign Public IP" checkbox.
  7. 7.
    Click on the "Save" button to apply the changes.
  8. 8.
    Repeat steps 4-7 for all the subnets within the VPC where auto-assign public IP should be disabled.
  9. 9.
    Verify that the auto-assign public IP attribute is now disabled for the selected subnets.

Note: Disabling auto-assign public IP may require appropriate updates to routing and NAT configurations within the VPC. Make sure to review any potential impact on connectivity and update your routing and NAT configurations accordingly.

Relevant Code:

If you prefer to use the AWS Command Line Interface (CLI) to disable auto-assign public IP for VPC subnets, you can use the following command:

aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch

Replace

<subnet-id>
with the ID of the subnet where you want to disable auto-assign public IP.

Remember to execute the above command for each affected subnet in the VPC.

Please note that proper authentication and authorization using AWS credentials with necessary permissions are required to execute this command successfully.

Conclusion:

By disabling auto-assign public IP for your VPC subnets, you ensure that resources within those subnets are not directly exposed to the internet. This mitigates potential security risks and aligns with the CISA Cyber Essentials framework's guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now