This rule ensures that VPC subnets do not automatically assign public IPs, reducing security risks.
Rule | VPC subnet auto assign public IP should be disabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Medium |
NIST 800-171 Revision 2: Disable VPC Subnet Auto-Assign Public IP
Description:
According to the NIST 800-171 Revision 2 compliance framework, it is recommended to disable the auto-assignment of public IP addresses to subnets within an Amazon Virtual Private Cloud (VPC). This is done to enhance the security of the VPC by preventing instances within those subnets from being directly accessible from the internet.
Enabling auto-assign public IP for subnets makes instances within those subnets automatically receive a public IP address from Amazon's pool of public IP addresses. By disabling this feature, instances in the subnets will not be assigned a public IP address by default, making them accessible only from within the VPC or through a properly configured network pathway.
Within the context of NIST 800-171 Revision 2, ensuring that VPC subnet auto-assign public IP is disabled helps organizations protect sensitive information and secure their infrastructure from unauthorized access.
Troubleshooting Steps:
If any issues are encountered while disabling VPC subnet auto-assign public IP, the following troubleshooting steps may be taken:
Necessary Codes:
There are no specific codes to be executed for this compliance rule. The necessary configuration changes can be made through the AWS Management Console or using the AWS CLI.
Step-by-Step Guide for Remediation:
Please note that disabling auto-assign public IP for a subnet might affect instances or services that require internet connectivity. Ensure that appropriate alternatives such as NAT Gateway or VPN connections are configured to allow necessary outbound access.