Enhancing Security: Disabling Automatic Public IP Assignment for EC2 Subnets
Introduction:-
In #AWS EC2, by default, subnets are configured to automatically assign public IP addresses to instances launched within them. However, there are scenarios where you may want to disable this behavior to enhance security or limit outbound traffic. Fortunately, with #Terraform, you can easily control this feature and configure your subnets to avoid automatic public IP assignments.
Issues:This control checks if the assignment of public IPs in #Amazon Virtual Private Cloud (VPC) subnets have the MapPublicIpOnLaunch set to FALSE. The control will pass if the flag is set to FALSE.
General step to follow: Create one folder name it ,using the same folder create one file and name it as terragrunt.hcl and paste the below code into that.This is an example reference.
#terraform.hcl
terraform {
source = "tfr:///terraform-aws-modules/vpc/aws?version=3.14.0"
}
include "root" {
path = find_in_parent_folders()
}
locals {
common_vars = read_terragrunt_config(find_in_parent_folders("prod.hcl"))
regional_vars = read_terragrunt_config(find_in_parent_folders("regional.hcl"))
region = local.regional_vars.locals.aws_region
env = local.common_vars.locals.env
project_name = local.common_vars.locals.project
private_subnets = local.common_vars.locals.private_subnets
public_subnets = local.common_vars.locals.public_subnets
cidr = local.common_vars.locals.cidr
}
inputs = {
name = "${local.project_name}-${local.env}-vpc"
cidr = local.cidr
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = local.private_subnets
public_subnets = local.public_subnets
map_public_ip_on_launch = false
enable_nat_gateway = true
single_nat_gateway = true
one_nat_gateway_per_az = false
tags = {
Environment = local.env
}
public_route_tags = {
Name = "${local.project_name}-${local.env}-public-route"
}
private_route_table_tags = {
Name = "${local.project_name}-${local.env}-private-route"
}
nat_gateway_tags = {
Name = "${local.project_name}-${local.env}-nat-gateway"
}
nat_eip_tags = {
Name = "${local.project_name}-nat-gateway-eip"
}
// Enable DNS support and DNS hostnames
enable_dns_support = true
enable_dns_hostnames = true
vpc_flow_logs = {
enable_flow_logs = true
iam_role_arn =
log_destination_type = "s3"
log_destination =
}
}
}
After paste this code in the file. Just save and open the terminal enter the first command terragrunt init for Initializing and after Initialization, enter the second command terragrunt plan when the plan executed successfully ,enter the third command terragrunt apply after apply configuration would be passed in your security hub issues.
Modify the public IPv4 addressing attribute for your subnet through manually.
To modify your subnet’s public IPv4 addressing behavior
Open the #Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Subnets.
Select your subnet and choose Actions, Edit subnet settings.
The Enable auto-assign public IPv4 address check box, if selected, requests a public #IPv4 address for all instances launched into the selected subnet. Select or clear the check box as required, and then choose Save.
Conclusion :-
By utilizing #Terraform, you can customize your #EC2 subnets to prevent the automatic assignment of public IP addresses. This allows you to have more control over your network’s security and outbound connectivity. Whether you want to isolate your instances from the public internet or enable alternative methods for internet access, #Terraform provides the flexibility to tailor your infrastructure according to your specific requirements. With a few lines of code, you can configure your subnets to meet your organization’s unique needs