Ensure 'public IP on launch' is not enabled for AWS Subnets

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the VPC dashboard.
In the navigation pane, select subnets.
Select your subnet and then choose Subnet Actions, Modify auto-assign IP settings.
Clear the Enable auto-assign public IPv4 address check box and then choose Save.

In terraform -

In the 'aws_subnet' resource, set 'map_public_ip_on_launch' to false.

References:
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-subnets.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet

Policy Details

Rule Reference ID: AC_AWS_0391

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_subnet

Resource Category: Virtual Network

Resource Type: Security Group

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0

Detections

Analytics