Profile Applicability:

  • Level 1

Description:

Amazon VPC (Virtual Private Cloud) allows you to create isolated networks within AWS. Each VPC can contain multiple subnets, which can be configured to either assign public IPs to instances by default or not. In a secure environment, it is recommended that subnets do not automatically assign public IP addresses to instances, especially for sensitive workloads that should be restricted to private network access. This SOP ensures that VPC subnets do not automatically assign public IPs to EC2 instances by default, providing enhanced security and better control over the network accessibility of your resources.

Rationale:

Automatically assigning public IPs to EC2 instances can expose sensitive resources to the public internet, increasing the attack surface and making it easier for attackers to gain unauthorized access. By ensuring that subnets do not assign public IPs by default, we enforce proper isolation of resources within private subnets. If internet access is required, it can be routed through more secure methods like NAT Gateways, VPNs, or Load Balancers, ensuring better security and controlled access to the internet.

Impact:

Pros:

  • Improved Security: Prevents unnecessary exposure of EC2 instances to the internet, reducing the risk of attacks.

  • Better Network Isolation: Ensures sensitive resources are placed within private subnets, only accessible via controlled routes.

  • Compliance: Meets network security standards and best practices, and helps in aligning with regulatory requirements such as SOC 2, PCI-DSS, or CIS.

Cons:

  • Configuration Overhead: Requires manual intervention or additional setup (e.g., NAT Gateway or Load Balancer) for instances that need internet access.

  • Increased Complexity: Requires more detailed network planning and routing configurations for instances that require internet connectivity.

Default Value:

By default, subnets in a VPC may have the Auto-assign Public IP option enabled, which results in EC2 instances being assigned public IPs automatically when launched. This should be disabled to ensure that instances do not receive a public IP by default.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSubnets

    • ec2:ModifySubnetAttribute

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Basic knowledge of VPC, subnets, and EC2 networking.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select Subnets.

  4. For each subnet, check the Auto-assign Public IP setting:

    • If Auto-assign Public IP is enabled, disable it to ensure that instances do not get a public IP by default.

  5. When launching a new instance, verify that Auto-assign Public IP is set to Disable under the Network Settings section.

Using AWS CLI:

To describe the subnets and check the Auto-assign Public IP setting, run:

aws ec2 describe-subnets --query 'Subnets[*].[SubnetId,MapPublicIpOnLaunch]'

Review the output:
MapPublicIpOnLaunch should be false to ensure that public IPs are not automatically assigned. Example output:

[

  {

    "SubnetId": "subnet-0bb1c79de3EXAMPLE",

    "MapPublicIpOnLaunch": false

  }

]

If MapPublicIpOnLaunch is true, update the subnet setting.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console 

  2. Navigate to VPC.

  3. In the VPC Dashboard, select Subnets and choose the subnet you wish to modify.

  4. Click on Actions and select Modify Auto-assign IP Settings.

  5. Set Auto-assign Public IP to Disable.

  6. Click Save to apply the changes.

  7. Verify that the subnet is now configured to not assign public IPs by default.

Using AWS CLI:

To modify an existing subnet to disable automatic public IP assignment, run the following command:

aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --map-public-ip-on-launch false

To verify that the Auto-assign Public IP setting is disabled, run:

aws ec2 describe-subnets --subnet-id <subnet-id> --query 'Subnets[*].MapPublicIpOnLaunch'

Backout Plan:

If disabling the Auto-assign Public IP setting causes issues with required internet access:

Identify the affected subnet.

Re-enable Auto-assign Public IP for the subnet by running:

aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --map-public-ip-on-launch true

Verify that the subnet is functioning correctly with the Auto-assign Public IP setting enabled.

Note:

  • If instances in private subnets need to access the internet, ensure that NAT Gateways or VPN connections are configured for outbound traffic.

  • For public-facing services, consider placing them in public subnets or using Application Load Balancers or NAT Gateways to manage access securely.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.