Rule: VPC Subnet Auto Assign Public IP Should Be Disabled
This rule ensures VPC subnets do not automatically assign public IP addresses.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
The rule "VPC subnet auto assign public IP should be disabled for FedRAMP Low Revision 4" states that in an Amazon Web Services (AWS) Virtual Private Cloud (VPC) environment, the automatic assignment of public IP addresses to subnets should be disabled for systems adhering to the FedRAMP (Federal Risk and Authorization Management Program) Low security requirements, as specified in Revision 4.
Policy Details
By disabling the auto-assignment of public IP addresses to subnets within a VPC, you ensure that resources deployed within those subnets do not have direct public connectivity by default. This configuration aligns with the security requirements defined in FedRAMP Low Revision 4, where public access to resources should be controlled through specific network configurations, such as the use of Network Address Translation (NAT) gateways or secure network architecture.
Troubleshooting Steps (if applicable)
If the auto-assignment of public IP addresses is enabled for a subnet in violation of this rule, follow these steps to troubleshoot and remediate the issue:
- 1.
Identify the affected subnet: Check the VPC and subnet configurations to find the subnet where the auto-assignment of public IP addresses is still enabled.
- 2.
Disable public IP auto-assignment: Update the subnet configuration to disable the automatic assignment of public IP addresses. This can be done either using the AWS Management Console or the AWS Command Line Interface (CLI).
CLI Command(s)
Use the following AWS CLI command to disable the auto-assignment of public IP addresses for a subnet:
aws ec2 modify-subnet-attribute --subnet-id <subnet-id> --no-map-public-ip-on-launch
Replace
<subnet-id>- 1.Verify the changes: After executing the command, verify that the modification has taken effect by checking the subnet attributes. The "MapPublicIpOnLaunch" attribute should be set to "false" for the respective subnet.
Remediation Steps
To remediate the violation of the "VPC subnet auto assign public IP should be disabled for FedRAMP Low Revision 4" rule, follow these step-by-step instructions:
- 1.
Identify the affected subnet(s): Determine the subnet(s) that require the disabling of auto-assignment of public IP addresses for compliance with FedRAMP Low Revision 4.
- 2.
Access the AWS Management Console: Log in to the AWS Management Console using valid credentials.
- 3.
Open the Amazon VPC service: Navigate to the "Services" dropdown menu and select "VPC" under the "Networking & Content Delivery" category.
- 4.
Identify the VPC: Locate and select the VPC that contains the subnet(s) identified in step 1.
- 5.
Select the Subnets tab: Within the VPC management console, click on the "Subnets" tab to view the list of subnets within the selected VPC.
- 6.
Find the subnet(s) to modify: Identify the subnet(s) that require the disabling of public IP auto-assignment for compliance.
- 7.
Modify the subnet attribute: Select a subnet from the list and click on the "Actions" dropdown menu. Choose the "Modify auto-assign IP settings" option.
- 8.
Disable public IP auto-assignment: In the "Modify auto-assign IP settings" dialog box, deselect the option for "Auto-assign Public IP". Click "Save" to apply the changes.
- 9.
Repeat for other affected subnets: If multiple subnets require the same modification, repeat steps 7 and 8 for each of them.
- 10.
Verify the changes: After modifying the subnets, verify the changes by checking the subnet attributes. The "MapPublicIpOnLaunch" attribute should be set to "false" for the respective subnets.
By following these steps, you have successfully remediated the violation of the "VPC subnet auto assign public IP should be disabled for FedRAMP Low Revision 4" rule in AWS VPC.