Rule: VPC Subnet Auto Assign Public IP Should Be Disabled
This rule ensures VPC subnets do not automatically assign public IPs to instances.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
According to NIST 800-53 Revision 5, the VPC subnet auto assign public IP feature should be disabled. This rule ensures that instances within the Virtual Private Cloud (VPC) do not automatically receive a public IP address upon creation. Disabling this feature is important for maintaining the security and compliance posture of the VPC.
Enabling auto assign public IP allows instances to directly communicate with the internet, which may introduce potential security risks if not properly controlled. By disabling this feature, organizations ensure that instances within the VPC only have private IP addresses by default, reducing the attack surface and exposure to external threats.
Troubleshooting Steps (if any)
If instances in your VPC are unexpectedly receiving public IP addresses, follow these troubleshooting steps:
- 1.
Confirm the VPC configuration: Check if the auto assign public IP feature is disabled for the subnets within your VPC. Review the subnet settings to ensure that instances are not automatically assigned public IP addresses.
- 2.
Verify instance launch settings: If a specific instance is receiving a public IP address, check the launch configuration or parameters used when creating the instance. Ensure that the "AssociatePublicIpAddress" parameter is set to "false" to prevent auto-assignment of a public IP.
- 3.
Check network ACLs and security groups: Verify that the applicable network Access Control List (ACL) and security group configuration do not override the subnet-level settings. These configurations could potentially allow instances to receive public IP addresses even if the subnet-level setting is disabled.
- 4.
Verify Elastic IP allocation: If you have manually associated an Elastic IP address directly with an instance, that instance will bypass the auto assign public IP setting. Make sure that the Elastic IP is not associated with the instance causing the issue.
Necessary Codes (if any)
There are no specific codes associated with this rule. Disabling the auto assign public IP feature is a configuration change within the AWS Management Console or can be achieved using AWS CLI commands, as explained in the next section.
Remediation Steps
Follow these step-by-step instructions to disable the auto assign public IP feature for your VPC subnets:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon VPC service.
- 3.
In the navigation pane, click on "Subnets."
- 4.
Select the desired subnet from the list.
- 5.
In the "Details" tab, locate the "Auto-assign Public IP" field.
- 6.
Click on the "Edit auto-assign IP settings" link next to the field.
- 7.
In the "Edit auto-assign IP settings" dialog box, select the "Do not auto-assign Public IP addresses" option.
- 8.
Click "Save."
- 9.
Repeat steps 4-8 for all the subnets within your VPC.
By following these steps, you have now disabled the auto assign public IP feature for all the subnets within your VPC, aligning with the NIST 800-53 Revision 5 guideline.