Rule: VPC Subnet Auto Assign Public IP Should Be Disabled
This rule ensures that VPC subnets do not automatically assign public IP addresses to instances.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Medium |
Rule Description: The VPC subnet auto assign public IP should be disabled in adherence to the RBI (Reserve Bank of India) Cyber Security Framework. This rule ensures that all subnets within the VPC (Virtual Private Cloud) do not automatically assign public IP addresses to instances launched within them. Disabling this feature helps enhance security by preventing instances from having direct access to the internet.
Troubleshooting Steps (if applicable): If instances in the VPC subnets are still being assigned public IP addresses automatically, follow the steps below to troubleshoot and resolve the issue:
- 1.
Verify VPC Subnet Configuration: Double-check the subnet configuration for each subnet within the VPC. Ensure that the "Auto-assign Public IP" attribute is set to "No".
- 2.
Check VPC Default Behavior: If the subnet configuration is correct, check if the VPC itself has the "Auto-assign Public IP" attribute set to "No". If not, modify the VPC settings accordingly.
- 3.
Verify Instance Launch Settings: Review the launch configuration or launch templates used to create instances within the VPC subnets. Ensure that the "Auto-assign Public IP" parameter is appropriately set to "No".
- 4.
Update Instance Configuration: If the launch settings are correct, verify the individual instances within the subnets. Update the instance settings to ensure that the "Auto-assign Public IP" attribute is disabled.
- 5.
Verify Security Group Rules: Check the security group configurations associated with the instances. Ensure that inbound and outbound rules are appropriately set to allow or restrict access as required by the RBI Cyber Security Framework.
Necessary Codes (if applicable): If necessary, use the following AWS CLI command to modify the VPC subnet attributes:
aws ec2 modify-subnet-attribute --subnet-id your-subnet-id --no-map-public-ip-on-launch
Note: Replace "your-subnet-id" with the actual ID of the subnet to be modified.
Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the VPC service.
- 3.
Select the desired VPC.
- 4.
Identify the subnets that need to have the auto-assign public IP disabled.
- 5.
Select each subnet one by one.
- 6.
In the details pane at the bottom, locate the "Auto-assign Public IP" attribute and ensure it is set to "No". If not, click the "Edit auto-assign IP settings" link and disable it.
- 7.
Repeat the above step for all subnets that require modification.
- 8.
If instances were already running in the affected subnets, you may need to stop and restart them to apply the changes.
- 9.
Verify that instances launched in the modified subnets no longer have public IP addresses assigned.
- 10.
Additionally, review the security group settings for the affected instances and update the rules as per the RBI Cyber Security Framework.
Remember to refer to official documentation for specific platform details and consult your organization's security guidelines as well.