Rule: VPC Subnet Auto Assign Public IP Should Be Disabled
This rule ensures that VPC subnets do not automatically assign public IP addresses to instances, enhancing security.
| Rule | VPC subnet auto assign public IP should be disabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description: Disable Auto-assign Public IP for VPC Subnets in line with NIST CSF v1
Summary
In accordance with the NIST Cybersecurity Framework (CSF) version 1, it is recommended to disable the auto-assign public IP feature for VPC subnets. This rule prevents the automatic assignment of public IP addresses to resources within the subnet and helps reduce the attack surface of your environment. By following this guideline, you enhance the security posture of your VPC and mitigate potential risks associated with public IP addresses.
Why is this important?
Auto-assigning public IP addresses to resources within VPC subnets may inadvertently expose internal resources directly to the internet, increasing the risk of unauthorized access or potential attacks. Disabling this feature ensures that resources within the subnet are not directly accessible from the public internet, providing an additional layer of security.
Troubleshooting Steps (if applicable)
In case of any issues arising from disabling the auto-assign public IP feature, follow these troubleshooting steps:
- 1.Verify that the necessary network configurations are in place, such as properly configured route tables, NAT gateways, or Internet Gateways.
- 2.Ensure that any instances or resources that require internet access are properly configured with an elastic IP address or NAT gateway.
- 3.Check if there are any specific requirements or dependencies within your environment that may require public IP addresses for certain resources. Adjust configurations accordingly, and consider implementing alternative solutions to ensure secure access if needed.
- 4.Validate that the updated subnet configurations are propagated correctly to all relevant components within your VPC, such as load balancers, security groups, or network ACLs.
- 5.If issues persist, consult AWS documentation, support resources, or seek assistance from experienced network or security professionals.
Necessary Codes (if applicable)
No specific codes are required for this rule. Instead, it involves making configuration changes using AWS management console or command-line interface (CLI).
Step-by-step Guide for Remediation
Step 1: Access AWS Management Console
- 1.Open a web browser and go to
.https://console.aws.amazon.com/ - 2.Sign in with your AWS account credentials.
Step 2: Navigate to Amazon VPC Console
- 1.Once signed in, select the "Services" drop-down menu at the top of the page.
- 2.Choose "VPC" from the list of available services under the "Networking & Content Delivery" category.
Step 3: Disable Auto-assign Public IP
- 1.In the Amazon VPC console, click on "Subnets" in the left-hand navigation pane.
- 2.Select the appropriate VPC subnet where you want to disable auto-assign public IP.
- 3.Click on the "Actions" button at the top of the subnet list and choose "Modify auto-assign IP settings" from the drop-down menu.
- 4.In the "Modify auto-assign IP settings" window, uncheck the "Auto-assign Public IP" option.
- 5.Click on the "Save" button to apply the changes.
Step 4: Validate Changes
- 1.Verify that the changes have been applied successfully by checking the subnet details.
- 2.Ensure that the "Auto-assign Public IP" field for the selected subnet now displays "No".
Conclusion
By following the steps outlined in this guide, you have successfully disabled the auto-assign public IP feature for the specified VPC subnet in line with the NIST Cybersecurity Framework (CSF) version 1. This action improves the security of your VPC environment and helps mitigate potential risks associated with public IP exposure.