Ensure VPC subnets have public IP auto-assign disabled for enhanced security.
Rule | VPC subnet auto assign public IP should be disabled |
Framework | CISA-cyber-essentials |
Severity | ✔ Medium |
Rule Description: VPC Subnet Auto Assign Public IP Disabled
This rule sets the requirement for disabling the automatic assignment of public IP addresses to subnets within an Amazon Virtual Private Cloud (VPC) as part of the CISA Cyber Essentials framework. By disabling auto-assign public IP addresses, it ensures that resources within the VPC do not receive public IP addresses by default, reducing the potential attack surface from the internet.
Troubleshooting Steps:
If public IP assignment is enabled for VPC subnets, it may result in resources being exposed directly to the internet, making them vulnerable to unauthorized access or malicious activities. Troubleshooting steps to verify and remediate this issue are as follows:
Remediation Steps:
To remediate the issue and disable auto-assign public IP for VPC subnets, follow these step-by-step instructions:
Note: Disabling auto-assign public IP may require appropriate updates to routing and NAT configurations within the VPC. Make sure to review any potential impact on connectivity and update your routing and NAT configurations accordingly.
Relevant Code:
If you prefer to use the AWS Command Line Interface (CLI) to disable auto-assign public IP for VPC subnets, you can use the following command:
aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch
Replace
<subnet-id>
with the ID of the subnet where you want to disable auto-assign public IP.Remember to execute the above command for each affected subnet in the VPC.
Please note that proper authentication and authorization using AWS credentials with necessary permissions are required to execute this command successfully.
Conclusion:
By disabling auto-assign public IP for your VPC subnets, you ensure that resources within those subnets are not directly exposed to the internet. This mitigates potential security risks and aligns with the CISA Cyber Essentials framework's guidelines.