Rule: VPC Subnet Auto Assign Public IP Should Be Disabled
This rule ensures that VPC subnets do not automatically assign public IP addresses to instances for enhanced security measures.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
According to NIST 800-53 Revision 5, it is recommended to disable the automatic assignment of public IP addresses for subnets within a Virtual Private Cloud (VPC). By disabling this feature, you ensure that only private IP addresses are assigned to resources within the VPC, reducing the potential exposure of public-facing services.
Impact of Non-Compliance:
If the automatic assignment of public IP addresses is enabled for VPC subnets, it may lead to unintended exposure of resources to the public internet. This can pose a significant security risk, as sensitive data and services may become accessible to unauthorized entities.
Troubleshooting Steps:
If you encounter any difficulties in complying with this requirement, follow the below troubleshooting steps:
- 1.Identify VPC Subnets: Determine which VPC subnets have the "auto assign public IP" feature enabled.
- 2.Check Associated Resources: Identify all resources, such as EC2 instances or Load Balancers, within the subnets with enabled public IP assignment.
- 3.Disable Public IP Assignment: Disable the automatic assignment of public IP addresses for the identified subnets.
- 4.Verify Connectivity: Ensure that the private IP addresses assigned to resources within the subnets do not impact their connectivity to required networks or services.
- 5.Test and Monitor: Regularly monitor the network connectivity and functionality of the resources within the affected subnets to ensure they continue to work as expected.
Recommended Configuration:
To disable the automatic assignment of public IP addresses for VPC subnets, follow the steps below:
- 1.Open the AWS Management Console and navigate to the Amazon VPC service.
- 2.Select the desired VPC and go to the "Subnets" section.
- 3.Identify the specific subnet(s) where you want to disable the public IP assignment.
- 4.Select the subnet and click on the "Actions" button.
- 5.From the dropdown menu, choose "Modify auto-assign IP settings."
- 6.Uncheck the box that says "Auto-assign IPv4" next to "Auto-assign Public IP."
- 7.Click "Save" to apply the changes.
- 8.Validate that the public IP assignment is disabled for the selected subnets.
- 9.Repeat the same process for any other subnets that require the modification.
AWS CLI Command:
Alternatively, you can use the AWS CLI to disable automatic public IP assignment for VPC subnets. Run the following command, replacing "subnet-id" with the ID of the subnet you want to modify:
aws ec2 modify-subnet-attribute --subnet-id subnet-id --no-map-public-ip-on-launch
Make sure to repeat this command for each subnet that needs the configuration change.
Remediation Steps:
To remediate the non-compliance issue, follow these steps:
- 1.Identify VPC Subnets: Determine which VPC subnets have the "auto assign public IP" feature enabled.
- 2.Open the AWS Management Console and navigate to the Amazon VPC service.
- 3.Select the desired VPC and go to the "Subnets" section.
- 4.Identify the specific subnet(s) where you want to disable the public IP assignment.
- 5.Select the subnet and click on the "Actions" button.
- 6.From the dropdown menu, choose "Modify auto-assign IP settings."
- 7.Uncheck the box that says "Auto-assign IPv4" next to "Auto-assign Public IP."
- 8.Click "Save" to apply the changes.
- 9.Validate that the public IP assignment is disabled for the selected subnets.
- 10.Repeat the same process for any other subnets that require the modification.
- 11.Monitor and verify the connectivity and functionality of the resources within the affected subnets to ensure they continue to work as expected.
By following these steps, you will successfully disable the automatic assignment of public IP addresses for VPC subnets, aligning with the NIST 800-53 Revision 5 guidelines.