Rule: VPC Subnet Auto Assign Public IP Should be Disabled
This rule ensures that VPC subnets do not automatically assign public IP addresses.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
VPC Subnet Auto Assign Public IP Disabled for FedRAMP Low Revision 4
FedRAMP (Federal Risk and Authorization Management Program) sets standards for security assessment, authorization, and continuous monitoring for cloud products and services used by US federal agencies. According to FedRAMP Low Revision 4 guidelines, VPC subnets should not automatically assign public IP addresses to instances to ensure that only intentionally internet-facing resources are exposed.
Rule Details
When auto-assign public IP is enabled for a VPC subnet, every new EC2 instance launched in that subnet is assigned a public IP address by default. For FedRAMP compliance at the Low impact level, public IP addresses should only be assigned to resources that are deliberately intended to be accessed from the internet. Therefore, the auto-assign public IP feature must be disabled to maintain tighter control over public access and reduce the risk of accidental exposure.
Troubleshooting Steps
If the auto-assign public IP feature is enabled, follow these steps to troubleshoot and remediate the issue:
- 1.
Verify Subnet Settings:
- Navigate to the Amazon VPC Console.
- Select the relevant VPC and review the subnets.
- Check if 'Auto-assign public IPV4 address' is enabled.
- 2.
Identify Affected Instances:
- Ensure that no running instances rely on this setting for their operation.
- Plan for reconfiguration if necessary.
- 3.
Audit Logs:
- Check AWS CloudTrail logs for modifications to subnet settings.
Remediation Steps
To disable the auto-assign public IP feature:
- 1.Access the AWS Management Console.
- 2.Navigate to the Amazon VPC console.
- 3.Choose 'Subnets' from the navigation pane.
- 4.Select the subnet you want to modify.
- 5.Click on the 'Actions' button, and then select 'Modify auto-assign IP settings'.
- 6.Uncheck 'Auto-assign IPv4' to prevent public IP assignment.
- 7.Click 'Save'.
AWS CLI Commands
To update the subnet setting via AWS CLI:
aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch
Replace
<subnet-id>Additional Compliance Validation
After remediation, ensure that no unintended resources have public IP addresses. If EC2 instances do not require direct internet access, consider using NAT devices for outbound traffic or placement within a private subnet.
Compliance Automation
Automate compliance checks and remediation using AWS Config rules and AWS Lambda functions to trigger corrections upon detecting non-compliance. Automation also ensures ongoing adherence to the FedRAMP Low Revision 4 regulations without manual intervention.
By following these details, you can efficiently ensure your AWS architecture is compliant with FedRAMP Low Revision 4 requirements regarding VPC subnet IP addressing. These security-centric configurations will contribute positively to your overall SEO strategy by showcasing a commitment to high-standard security practices, fostering trust, and potentially improving your organization's online reputation.