v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 15 EC2 subnets should not automatically assign public IP addresses

Description

This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE.

All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface.

Remediation

You can configure a subnet from the Amazon VPC console.

To configure a subnet to not assign public IP addresses

  1. Open the Amazon VPC console

  2. In the navigation pane, choose Subnets.

  3. Select your subnet and then choose Subnet Actions, Modify auto-assign IP settings.

  4. Clear the Enable auto-assign public IPv4 address check box and then choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_15 --share

SQL

This control uses a named query:

vpc_subnet_auto_assign_public_ip_disabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_15
plugin = aws
service = AWS/EC2