EC2 Instance Subnet Has Public IP Mapping On Launch
- Query id: b3de4e4c-14be-4159-b99d-9ad194365e4c
- Query name: EC2 Instance Subnet Has Public IP Mapping On Launch
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mySubnet:
Type: AWS::EC2::Subnet
Properties:
MapPublicIpOnLaunch: true
VpcId: myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: foo
Value: bar
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"mySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"MapPublicIpOnLaunch": true,
"VpcId": "myVPC",
"CidrBlock": "10.0.0.0/24",
"AvailabilityZone": "us-east-1a",
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mySubnet:
Type: AWS::EC2::Subnet
Properties:
MapPublicIpOnLaunch: false
VpcId: myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: foo
Value: bar
Negative test num. 2 - json file
{
"Resources": {
"mySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
],
"MapPublicIpOnLaunch": false,
"VpcId": "myVPC",
"CidrBlock": "10.0.0.0/24",
"AvailabilityZone": "us-east-1a"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template"
}