Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Subnet Auto Assign Public IP Should Be Disabled

This rule ensures that VPC subnets do not automatically assign public IPs for enhanced security.

RuleVPC subnet auto assign public IP should be disabled
FrameworkFedRAMP Moderate Revision 4
Severity
Medium

Rule Description:

VPC subnet auto assign public IP should be disabled for FedRAMP Moderate Revision 4.

Enabling auto-assign public IP addresses for subnets in the VPC poses a security risk as it allows instances within those subnets to have direct access to the internet. To comply with the FedRAMP Moderate Revision 4 standards, this feature should be disabled to minimize the attack surface and enhance network security.

Remediation Steps:

  1. 1.

    Log in to the AWS Management Console.

  2. 2.

    Go to the Amazon VPC Dashboard.

  3. 3.

    Select the VPC for which you want to disable auto-assign public IP addresses.

  4. 4.

    Choose the "Subnets" option from the left-hand navigation menu.

  5. 5.

    In the list of subnets, identify the subnet(s) for which you want to disable auto-assign public IP.

  6. 6.

    Select the desired subnet by clicking on its checkbox.

  7. 7.

    Click on the "Actions" button at the top of the subnet list and choose "Modify auto-assign IP settings" from the dropdown menu.

  8. 8.

    In the "Modify IP Settings" dialog box, uncheck the "Auto-assign Public IP" option.

  9. 9.

    Click on the "Save" button to confirm and apply the changes.

Troubleshooting Steps:

If you encounter any issues while following the remediation steps mentioned above, consider the following troubleshooting steps:

  1. 1.

    Verify IAM permissions: Ensure that your AWS Identity and Access Management (IAM) user or role has sufficient permissions to modify VPC subnet settings. Check the IAM policies attached to your user or role to make sure the necessary permissions are granted.

  2. 2.

    Verify subnet selection: Double-check that you have selected the correct subnet where auto-assign public IP needs to be disabled. Selecting the wrong subnet can lead to unintended changes.

  3. 3.

    Verify internet connectivity: After disabling auto-assign public IP for a subnet, ensure that instances within that subnet still have internet connectivity through alternative methods, such as NAT gateways or NAT instances.

  4. 4.

    Verify network ACLs: If you experience connectivity issues after applying the changes, review the network access control lists (ACLs) associated with the subnet. Ensure that inbound and outbound rules in the ACLs allow the necessary traffic for your applications.

Relevant Code:

If you prefer using the AWS Command Line Interface (CLI) to achieve the same result, you can use the following command:

aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch

Replace

<subnet-id>
with the actual ID of the subnet you want to modify.

Note: Make sure you have the necessary IAM permissions to execute the AWS CLI command successfully.

By following the above-described steps or executing the command, you will successfully disable auto-assign public IP addresses for the selected VPC subnet, ensuring compliance with the FedRAMP Moderate Revision 4 standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now