Description:

The IP address enables resources in your VPC to communicate with each other, and with resources over the internet.

All subnets have an attribute that determines whether a network interface created the subnet automatically receives a public IPv4 address. Therefore, when you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface (eth0) that’s created for the instance. It mapped to a primary private IP address through network address translation(NAT).


Rationale:

The subnet has an attribute that determines whether instances launched into that subnet receive a public IP address from the public IPv4 address pool.

Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.


Impact:

Automatic Public IP assignment can expose the instances within the subnet to the internet. It is recommended to disable this feature for subnets.


Default Value:

By default Auto-assign Public IP is enabled in the subnets


Pre-Requisite:

Before proceeding to implementation you must stop instances that are associated with the subnets.


Remediation:


Test Plan:

  • Login to AWS Management Console

  • Go to VPC dashboard at https://console.aws.amazon.com/vpc

  • In the left navigation pane click on subnets 

  • Select the subnet and click on view details in Action menu list

  • In subnet details, you can see Auto-assign public IPv4 address is enabled or disabled with yes or no 


Using AWS CLI:

To describe your subnets

aws ec2 describe-subnets --region <region> 


Implementation Steps:

  • Login to AWS Management Console

  • Go to VPC dashboard at https://console.aws.amazon.com/vpc

  • click on subnets in the left navigation pane

  • Select the subnet to disable auto-assign public IP  
  • Click on the Actions button and select Modify auto-assign IP settings
  • Uncheck the Enable auto-assign public IPv4 address checkBox to disable the auto-assign public IPv4 address to the subnet
  • Click on the Save button


Using AWS CLI:

To change a subnet's public IPv4 addressing behavior

aws ec2 modify-subnet-attribute --subnet-id subnet-1a2b3c4d --no-map-public-ip-on-launch


Backout Plan:

  • Login to AWS Management Console

  • Go to VPC dashboard at https://console.aws.amazon.com/vpc

  • click on subnets in the left navigation pane 

  • Select the subnet to enable auto-assign public IP  

  • Click on the Actions button and select Modify auto-assign IP settings 

  • Check the  Enable auto-assign public IPv4 address checkBox to enable the auto-assign public IPv4 address and click on the Save button.


Using AWS CLI:

To change a subnet's public IPv4 addressing behavior

aws ec2 modify-subnet-attribute --subnet-id subnet-1a2b3c4d --map-public-ip-on-launch


Reference:

  1. subnet-auto-assign-public-ip-disabled - AWS Config 

  2. IP Addressing in your VPC - Amazon Virtual Private Cloud