🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢

Contextual name: 🛡️ Subnet Map Public IP On Launch is enabled🟢
ID: /ce/ca/aws/vpc/disable-subnet-map-public-ip-on-launch
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS VPC Subnet
- 🔌 AWS VPC Subnet - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses

Description

Description

This policy identifies AWS VPC Subnets that are configured to automatically assign public IPv4 addresses and/or IPv6 addresses to instances launched within them.

Rationale

Public IP address assignment should be an intentional and controlled action. When subnet-level auto-assignment settings are enabled, all instances launched into the subnet (unless explicitly overridden) automatically receive externally routable IP addresses.

Map Public IP On Launch assigns a public IPv4 address.

Assign IPv6 Address On Creation assigns an IPv6 address from the subnet's IPv6 CIDR block.

Enabling either setting can unintentionally expose resources to external networks, increasing the attack surface and the risk of unauthorized access. These settings should be enabled only for subnets explicitly designed for internet-facing workloads.

Audit

This policy flags an AWS VPC Subnet as INCOMPLIANT if either of the following conditions is met:

Map Public IP On Launch is set to true

Assign IPv6 Address On Creation is set to true

Remediation

Open File

Remediation

Disable automatic public IP assignment at the subnet level

Disable both IPv4 and IPv6 auto-assignment settings on the subnet to ensure that IP address exposure is explicitly controlled.

From Command Line

Disable auto-assign public IPv4 addresses
aws ec2 modify-subnet-attribute \
    --subnet-id {{subnet-id}} \
    --no-map-public-ip-on-launch
Disable auto-assign IPv6 addresses on instance creation
aws ec2 modify-subnet-attribute \
    --subnet-id {{subnet-id}} \
    --no-assign-ipv6-address-on-creation
Considerations

These changes apply only to instances launched after the modification.

Existing instances retain their currently assigned IPv4 and IPv6 addresses.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses			1	no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			116	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			15	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Disable automatic public IP assignment at the subnet level​

From Command Line​

Disable auto-assign public IPv4 addresses​

Disable auto-assign IPv6 addresses on instance creation​

Considerations​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Disable automatic public IP assignment at the subnet level

From Command Line

Disable auto-assign public IPv4 addresses

Disable auto-assign IPv6 addresses on instance creation

Considerations

policy.yaml

Linked Framework Sections