Description:
The IP address enables resources in your VPC to communicate with each other, and with resources over the internet.
All subnets have an attribute that determines whether a network interface created the subnet automatically receives a public IPv4 address. Therefore, when you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface (eth0) that’s created for the instance. It mapped to a primary private IP address through network address translation(NAT).
Rationale:
The subnet has an attribute that determines whether instances launched into that subnet receive a public IP address from the public IPv4 address pool.
Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.
Impact:
Automatic Public IP assignment can expose the instances within the subnet to the internet. It is recommended to disable this feature for subnets.
Default Value:
By default Auto-assign Public IP is enabled in the subnets
Pre-Requisite:
Before proceeding to implementation you must stop instances that are associated with the subnets.
Remediation:
Test Plan:
Login to AWS Management Console
Go to VPC dashboard at https://console.aws.amazon.com/vpc
In the left navigation pane click on subnets
Select the subnet and click on view details in Action menu list
In subnet details, you can see Auto-assign public IPv4 address is enabled or disabled with yes or no
Using AWS CLI:
To describe your subnets
aws ec2 describe-subnets --region <region>
Implementation Steps:
Login to AWS Management Console
Go to VPC dashboard at https://console.aws.amazon.com/vpc
click on subnets in the left navigation pane
- Select the subnet to disable auto-assign public IP
- Click on the Actions button and select Modify auto-assign IP settings
- Uncheck the Enable auto-assign public IPv4 address checkBox to disable the auto-assign public IPv4 address to the subnet
- Click on the Save button
Using AWS CLI:
To change a subnet's public IPv4 addressing behavior
aws ec2 modify-subnet-attribute --subnet-id subnet-1a2b3c4d --no-map-public-ip-on-launch
Backout Plan:
Login to AWS Management Console
Go to VPC dashboard at https://console.aws.amazon.com/vpc
click on subnets in the left navigation pane
Select the subnet to enable auto-assign public IP
Click on the Actions button and select Modify auto-assign IP settings
Check the Enable auto-assign public IPv4 address checkBox to enable the auto-assign public IPv4 address and click on the Save button.
Using AWS CLI:
To change a subnet's public IPv4 addressing behavior
aws ec2 modify-subnet-attribute --subnet-id subnet-1a2b3c4d --map-public-ip-on-launch