π AWS VPC Subnet Map Public IP On Launch is enabled π’
- Contextual name: π Subnet Map Public IP On Launch is enabled π’
- ID:
/ce/ca/aws/vpc/disable-subnet-map-public-ip-on-launch
- Located in: π AWS VPC
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY
- Policy Category:
SECURITY
Similar Policiesβ
- AWS Security Hub
- [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses]([EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses (https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-15)]
Logicβ
- π§ prod.logic.yaml π’
- π AWS VPC Subnet
- π AWS VPC Subnet - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
This policy checks whether an AWS VPC Subnet is configured to automatically assign public IPv4 addresses to instances launched within it.
Rationaleβ
Public IP assignment should be an intentional and controlled action. When the auto-assign public IP setting is enabled at the subnet level, all instances launched into the subnet (unless explicitly overridden) automatically receive a public IP address. This can inadvertently expose resources to the internet and increase the attack surface.
Auditβ
This policy flags an AWS VPC Subnet as
INCOMPLIANT
ifMap Public IP On Launch
checkbox is set to true.
Remediationβ
Remediationβ
From Command Lineβ
Disable the Auto-assign Public IPv4 Address Subnet Attributeβ
aws ec2 modify-subnet-attribute \
--subnet-id {{subnet-id}} \
--no-map-public-ip-on-launch