π‘οΈ AWS VPC Subnet Map Public IP On Launch is enabledπ’
- Contextual name: π‘οΈ Subnet Map Public IP On Launch is enabledπ’
- ID:
/ce/ca/aws/vpc/disable-subnet-map-public-ip-on-launch - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π AWS VPC Subnet
- π AWS VPC Subnet - object.extracts.yaml
- π§ͺ test-data.json
Similar Policiesβ
Descriptionβ
Descriptionβ
This policy identifies AWS VPC Subnets that are configured to automatically assign public IPv4 addresses and/or IPv6 addresses to instances launched within them.
Rationaleβ
Public IP address assignment should be an intentional and controlled action. When subnet-level auto-assignment settings are enabled, all instances launched into the subnet (unless explicitly overridden) automatically receive externally routable IP addresses.
- Map Public IP On Launch assigns a public IPv4 address.
- Assign IPv6 Address On Creation assigns an IPv6 address from the subnet's IPv6 CIDR block.
Enabling either setting can unintentionally expose resources to external networks, increasing the attack surface and the risk of unauthorized access. These settings should be enabled only for subnets explicitly designed for internet-facing workloads.
Auditβ
This policy flags an AWS VPC Subnet as
INCOMPLIANTif either of the following conditions is met:
Map Public IP On Launchis set to trueAssign IPv6 Address On Creationis set to true
Remediationβ
Remediationβ
Disable automatic public IP assignment at the subnet levelβ
Disable both IPv4 and IPv6 auto-assignment settings on the subnet to ensure that IP address exposure is explicitly controlled.
From Command Lineβ
Disable auto-assign public IPv4 addressesβ
aws ec2 modify-subnet-attribute \
--subnet-id {{subnet-id}} \
--no-map-public-ip-on-launchDisable auto-assign IPv6 addresses on instance creationβ
aws ec2 modify-subnet-attribute \
--subnet-id {{subnet-id}} \
--no-assign-ipv6-address-on-creationConsiderationsβ
- These changes apply only to instances launched after the modification.
- Existing instances retain their currently assigned IPv4 and IPv6 addresses.