🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢

• Contextual name: 🛡️ Instance with an auto-assigned public IP address is in a default subnet🟢
• ID: /ce/ca/aws/ec2/instance-with-public-ip-in-default-subnet
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Instance
  • 🔌 AWS EC2 Instance - object.extracts.yaml
  • 🔌 AWS VPC Subnet - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy checks if any AWS EC2 Instance with a public IP address is deployed within a default subnet.

By default, a default subnet is configured as a public subnet because the main route table is associated with an internet gateway, enabling outbound traffic to the internet.

Instances launched into a default subnet are automatically assigned a public IPv4 address, a private IPv4 address, and both public and private DNS hostnames.

Rationale

Deploying instances in default subnets can inadvertently expose them to the public internet. Default VPCs and subnets are intended for ease of deployment and testing, rather than for building secure, production-grade environments.

Production workloads and sensitive resources should always be provisioned in custom VPCs with dedicated subnets, where routing, access, and security controls are explicitly defined and managed.

Audit

This policy flags an AWS EC2 Instance as INCOMPLIANT if it has a Public IP Address and resides in a VPC Subnet where both Default For AZ and Map Public IP On Launch checkboxes are set to true.

... see more

Remediation

Open File

Remediation

From Command Line

Consider two remediation paths:

• Option 1: Remove the public IP address if it is not required.
• Option 2: Relocate the instance to a purpose-built subnet (public or private, depending on requirements).

Option 1: Remove the Public IP Address

If direct inbound access from the internet is not required, remove the public IP.

Modify network interface settings to disable public IP auto-assignment:

aws ec2 modify-network-interface-attribute \
    --network-interface-id {{network-interface-id}} \
    --no-associate-public-ip-address

(Recommended) Disable the Auto-assign Public IPv4 Address Subnet Attribute

aws ec2 modify-subnet-attribute \
    --subnet-id {{subnet-id}} \
    --no-map-public-ip-on-launch

Option 2: Move the Instance to a Custom Subnet

If the instance must remain publicly accessible, it should be deployed in a custom public subnet with explicit security controls (e.g., restrictive security groups, NACLs).

If it only requires outbound internet access, deploy it into a private subnet that routes traffic through a NAT Gateway.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			80		no data
💼 Cloudaware Framework → 💼 System Configuration			35		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	67		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	79		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	46		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	56		no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			8		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	48		no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			8		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			28		no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			8		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			22		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			33		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		64		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			46		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		56		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			8		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		42		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			8		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			28		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			120		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			139		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			48		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			118		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			98		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			112		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			70		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	89		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	46		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	49		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	50		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			22		no data