Rule: VPC Subnet Auto Assign Public IP Disabled
This rule checks if VPC subnets have auto assign public IP disabled to enhance security measures.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
VPC subnet auto assign public IP should be disabled in order to comply with the security requirements of NIST 800-53 Revision 5. This rule ensures that EC2 instances launched within the VPC's subnets are not automatically assigned public IP addresses.
Enabling the auto-assign public IP feature for subnets may increase the attack surface by exposing instances directly to the internet. By disabling this feature, you can ensure that instances within the subnet only have private IP addresses by default.
Troubleshooting Steps:
In case instances within the subnet have mistakenly been assigned public IP addresses, the following steps can help troubleshoot the issue:
- 1.Verify Subnet Settings: Confirm if the "auto-assign public IP" attribute is disabled for the relevant subnet(s).
- 2.Check Instance Configuration: Validate the instance launch configuration to determine if the selected subnet has "auto-assign public IP" disabled. Modify the instance configuration if necessary.
- 3.Examine Route Tables and Internet Gateway: Check the subnet's associated route table and confirm that it does not have an explicit route for the internet gateway (0.0.0.0/0) or any other routes instructing traffic to use the internet gateway.
- 4.Verify Network ACLs: Ensure that the network access control list (NACL) associated with the subnet permits only the desired inbound and outbound network traffic. Validate that Internet Control List (ICL) rules are properly implemented to prevent unintended internet access.
Necessary Code:
There is no specific code required for this rule. The configuration change can be made through the AWS Management Console or using the AWS Command Line Interface (CLI).
Remediation Steps:
To disable VPC subnet auto-assign public IP addresses, follow these steps:
Note: The following instructions assume you have the necessary permissions to make changes in the AWS Management Console or CLI.
- 1.
Open the AWS Management Console and navigate to the Amazon VPC service.
- 2.
From the left navigation pane, click on "Subnets" to view the list of existing subnets.
- 3.
Select the desired subnet where you want to disable auto-assign public IP.
- 4.
In the subnet details page, ensure that the "Details" tab is selected.
- 5.
Locate the "Auto-assign Public IP" attribute and click on the "Edit" button.
- 6.
In the pop-up window, select the "Do not auto-assign public IP addresses" option.
- 7.
Click "Save" to apply the changes and disable auto-assign public IPs for the selected subnet.
- 8.
Repeat the above steps for other subnets within the VPC if necessary.
It may take a few moments for the changes to propagate. Once completed, any new EC2 instances launched in the subnet(s) will not be assigned public IP addresses automatically.
Verification:
To verify if auto assign public IP has been successfully disabled for the subnet:
- 1.
Open the AWS Management Console and navigate to the Amazon VPC service.
- 2.
Click on "Subnets" from the left navigation pane to view all the subnets.
- 3.
Select the target subnet to verify.
- 4.
In the subnet details page, check if the "Auto-assign Public IP" attribute is set to "Do not auto-assign public IP addresses".
If the attribute matches the expected value, then the subnet is not allowing auto assignment of public IPs, ensuring compliance with the NIST 800-53 Revision 5 requirement.