AWS VPC Subnets Should Not Allow Automatic Public IP Assignment

This policy identifies VPC subnets which allow automatic public IP assignment. VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
CloudFormation

Build Rules

AWS VPC subnets should not allow automatic public IP assignment.
JSON Query:
$.Resources.*[?(@.Type == 'AWS::EC2::Subnet')].Properties.MapPublicIpOnLaunch anyTrue
Recommendation:
Recommended solution for not allowing automatic public IP assignment for VPC Subnets.
It is recommended that VPC subnets should not be allowed automatic public IP assignment. Please make sure that if "MapPublicIpOnLaunch" exists, its value is set to "false".
For example:
"PublicSubnetOne": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": null, "CidrBlock": null, "MapPublicIpOnLaunch": false } }

Run Rule Recommendation

  1. Sign into the AWS console.
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. Navigate to the 'VPC' service.
  4. In the navigation pane, click on 'Subnets'.
  5. Select the identified Subnet and choose the option 'Modify auto-assign IP settings' under the Subnet Actions.
  6. Disable the 'Auto-Assign IP' option and save it.

Compliance

There are 10 standards that are applicable to this policy:
  • ISO 27001:2013
  • NIST CSF
  • HITRUST CSF v9.3
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • NIST 800-53 Rev4
  • PIPEDA
  • CCPA 2018
  • NIST 800-171 Rev1

Recommended For You