Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Subnet Auto Assign Public IP Should Be Disabled

This rule ensures that VPC subnets do not automatically assign public IPs, reducing security risks.

RuleVPC subnet auto assign public IP should be disabled
FrameworkNIST 800-171 Revision 2
Severity
Medium

NIST 800-171 Revision 2: Disable VPC Subnet Auto-Assign Public IP

Description:

According to the NIST 800-171 Revision 2 compliance framework, it is recommended to disable the auto-assignment of public IP addresses to subnets within an Amazon Virtual Private Cloud (VPC). This is done to enhance the security of the VPC by preventing instances within those subnets from being directly accessible from the internet.

Enabling auto-assign public IP for subnets makes instances within those subnets automatically receive a public IP address from Amazon's pool of public IP addresses. By disabling this feature, instances in the subnets will not be assigned a public IP address by default, making them accessible only from within the VPC or through a properly configured network pathway.

Within the context of NIST 800-171 Revision 2, ensuring that VPC subnet auto-assign public IP is disabled helps organizations protect sensitive information and secure their infrastructure from unauthorized access.

Troubleshooting Steps:

If any issues are encountered while disabling VPC subnet auto-assign public IP, the following troubleshooting steps may be taken:

  1. 1.
    Double-check the VPC configuration: Ensure that you are modifying the correct VPC and subnet settings.
  2. 2.
    Permissions and access: Confirm that you have the necessary permissions and access rights to modify the VPC settings. Check IAM roles and policies if required.
  3. 3.
    AWS CLI version: Verify that you are using an updated version of the AWS Command Line Interface (CLI) to avoid any compatibility issues.
  4. 4.
    Validate input parameters: Ensure that you are providing correct values for all the required parameters when executing the CLI command.
  5. 5.
    Security Group configuration: Review the security group rules associated with the instances within the subnet to ensure proper network access controls are in place.
  6. 6.
    VPC peering or VPN connection: If the instances in the subnet need to access the internet or other resources, make sure that correct VPC peering or VPN connection is established.
  7. 7.
    Consult AWS documentation: Refer to the official AWS documentation or contact the AWS Support Team if you are unable to resolve the issue using the troubleshooting steps above.

Necessary Codes:

There are no specific codes to be executed for this compliance rule. The necessary configuration changes can be made through the AWS Management Console or using the AWS CLI.

Step-by-Step Guide for Remediation:

  1. 1.
    Open the AWS Management Console and navigate to the Amazon VPC service.
  2. 2.
    Choose the appropriate VPC where the subnet is located.
  3. 3.
    Click on "Subnets" in the left sidebar menu.
  4. 4.
    Select the desired subnet where you want to disable auto-assign public IP.
  5. 5.
    In the subnet details pane, click on the "Actions" button and choose "Modify auto-assign IP settings."
  6. 6.
    Set the "Auto-assign Public IP" value to "Disable" and click on "Save."
  7. 7.
    Verify the changes by checking the subnet details, where the auto-assign public IP should now be displayed as "No."

Please note that disabling auto-assign public IP for a subnet might affect instances or services that require internet connectivity. Ensure that appropriate alternatives such as NAT Gateway or VPN connections are configured to allow necessary outbound access.

Is your System Free of Underlying Vulnerabilities?
Find Out Now