Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 15 EC2 subnets should not automatically assign public IP addresses

Description

This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE.

All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.

Remediation

You can configure a subnet from the Amazon VPC console.

To configure a subnet to not assign public IP addresses

  1. Open the Amazon VPC console

  2. In the navigation pane, choose Subnets.

  3. Select your subnet and then choose Subnet Actions, Modify auto-assign IP settings.

  4. Clear the Enable auto-assign public IPv4 address check box and then choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_15 --share

SQL

This control uses a named query:

select
  subnet_id as resource,
  case
    when map_public_ip_on_launch = 'false' then 'ok'
    else 'alarm'
  end as status,
  case
    when map_public_ip_on_launch = 'false' then title || ' auto assign public IP disabled.'
    else title || ' auto assign public IP enabled.'
  end as reason
  
  , region, account_id
from
  aws_vpc_subnet;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_15
plugin = aws
service = AWS/EC2