EC2 Instance Subnet Has Public IP Mapping On Launch

Query id: b3de4e4c-14be-4159-b99d-9ad194365e4c
Query name: EC2 Instance Subnet Has Public IP Mapping On Launch
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
CWE: 668
URL: Github

Description¶

EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< De Re

Positive test num. 2 - json file

/span>

AWSTemplateFormatVersion: "2010-09-09" scription: A sample template sources: mySubnet: Type: AWS::EC2::Subnet Properties: class="w">      MapPublicIpOnLaunch: true VpcId: myVPC CidrBlock: 10.0.0.0/24 AvailabilityZone: "us-east-1a" Tags: - Key: foo Value: bar /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { "mySubnet": { "Type": "AWS::EC2::Subnet", "Properties": { class="w">        "MapPublicIpOnLaunch": true, "VpcId": "myVPC", "CidrBlock": "10.0.0.0/24", "AvailabilityZone": "us-east-1a", "Tags": [ { "Key": "foo", "Value": "bar" } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
   mySubnet:
    Type: AWS::EC2::Subnet
    Properties:
      MapPublicIpOnLaunch: false
      VpcId: myVPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: foo
        Value: bar

Negative test num. 2 - json file{
  "Resources": {
    "mySubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "Tags": [
          {
            "Key": "foo",
            "Value": "bar"
          }
        ],
        "MapPublicIpOnLaunch": false,
        "VpcId": "myVPC",
        "CidrBlock": "10.0.0.0/24",
        "AvailabilityZone": "us-east-1a"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template"
}