Rule: EC2 Subnets Should Not Automatically Assign Public IP Addresses

This rule states that EC2 subnets should not automatically assign public IP addresses, ensuring better security.

Rule	EC2 subnets should not automatically assign public IP addresses
Framework	AWS Foundational Security Best Practices
Severity	✔ Medium

Rule Description

The rule "EC2 subnets should not automatically assign public IP addresses" is one of the AWS Foundational Security Best Practices. This rule ensures that EC2 instances within a subnet do not receive a public IP address automatically when they are launched. Public IP addresses can increase the attack surface and expose instances directly to the internet, potentially increasing the risk of unauthorized access.

By disabling automatic public IP assignment, instances within the subnet will only have private IP addresses. If there is a need for instances to communicate with the internet, an Elastic IP (EIP) can be manually assigned.

Remediation Steps

Troubleshooting

If instances within a subnet are automatically assigned public IP addresses, there may be a misconfiguration that needs to be addressed. Follow the troubleshooting steps below:

1.
Verify the VPC configuration:
- Check the VPC settings and ensure that the "DNS resolution" and "DNS hostnames" options are enabled.
- Confirm that the VPC has an internet gateway attached, allowing outbound connections.

2.
Review the subnet configuration:
- Double-check that the subnet's route table is configured correctly, with the default route pointing to the internet gateway.
- Ensure that Network ACLs (NACLs) associated with the subnet allow inbound and outbound traffic as needed.

3.
Check the instance launch settings:
- Verify that the instance launch configuration does not have the option "Auto-assign Public IP" enabled.

Remediation Steps

To disable automatic public IP assignment for an EC2 subnet, follow these steps:

1.

Sign in to the AWS Management Console.

2.

Open the Amazon VPC console.

3.

In the navigation pane, select "Subnets" and choose the relevant subnet.

4.

Select the "Actions" dropdown, click "Modify auto-assign IP settings".

5.

Deselect the checkbox for "Auto-assign IPv4" and click "Save".

CLI Command

The following AWS CLI command can be used to disable automatic public IP assignment for a specific subnet:

aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-assign-ipv6-address-on-creation

Replace

<subnet-id>

with the actual ID of the subnet where you want to disable automatic public IP assignment.

Conclusion

Disabling automatic public IP assignment for EC2 subnets aligns with AWS Foundational Security Best Practices, helping to reduce the exposure of instances to the public internet. By following the provided remediation steps and executing the necessary CLI command, you can enforce a more secure network configuration.

Rule: EC2 Subnets Should Not Automatically Assign Public IP Addresses

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting

Remediation Steps

Is your System Free of Underlying Vulnerabilities?
Find Out Now