(aws-ec2): Disabling auto-assign public IP to public subnets #16838

5t111111 · 2021-10-07T04:17:40Z

Description

I think it would be great if there is a way to make it possible to disable auto-assign public IP to public subnets on VPC creation.

When you create a VPC with subnets, public subnets will always have auto-assigned IP address.

example code:

    // subnet 'public` will have auto-assigned IP addresses
    new ec2.Vpc(this, 'vpc', {
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
      ],
    });

CDK implementation:

aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc.ts

Line 1433 in d29a20b

mapPublicIpOnLaunch: (subnetConfig.subnetType === SubnetType.PUBLIC),

However, this behavior occurs problems in some situation, for example, "AWS Foundational Security Best Practices" does not allow this.

[EC2.15] EC2 subnets should not automatically assign public IP addresses
This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-ec2-15

Use Case

If you don't want all public subnets to have auto-assigned IPs, you can disable subnet-level public IP auto-assignment, and your architecture will meet the "AWS Foundational Security Best Practices" standards.

Proposed Solution

You can pass the flag for enabling or disabling auto-assign public IP to public subnets, like the following:

    // subnet 'public1` will have auto-assigned IP addresses, but 'public2' will not.
    new ec2.Vpc(this, 'vpc', {
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'public1',
          subnetType: ec2.SubnetType.PUBLIC,
          mapPublicIpOnLaunch: true, // optional parameter (default: true) for backward compatibility
        },
        {
          cidrMask: 24,
          name: 'public2',
          subnetType: ec2.SubnetType.PUBLIC,
          mapPublicIpOnLaunch: false,  // optional parameter (default: true) for backward compatibility
        },
      ],
    });

Other information

I look forward to have any workaround for disabling auto-assign public IP to public subnets in current version of CDK.

Acknowledge

I may be able to implement this feature request
This feature might incur a breaking change

njlynch · 2021-10-15T10:56:47Z

Thanks for the feature request. I agree with the proposed solution. Contributions welcome!

I look forward to have any workaround for disabling auto-assign public IP to public subnets in current version of CDK.

You can use escape hatches to alter the setting in the interim.

…ets (#17346) **Issue (Fixes #14194, #16838 When creating a VPC you can define a SubnetConfiguration but it is not possible to define `mapPublicIpOnLaunch` for public subnets. VPC Example: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, }, ] }); ``` Proposal: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, mapPublicIpOnLaunch: false, // or true }, ] }); ```

…ets (aws#17346) **Issue (Fixes aws#14194, aws#16838 When creating a VPC you can define a SubnetConfiguration but it is not possible to define `mapPublicIpOnLaunch` for public subnets. VPC Example: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, }, ] }); ``` Proposal: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, mapPublicIpOnLaunch: false, // or true }, ] }); ```

SamStephens · 2022-03-06T22:32:57Z

I'm shocked this hasn't been prioritized, having the CDK violate AWS Foundational Security Best Practices by default and not providing settings to remedy this is not the kind of security first prioritisation I expect from AWS. Apart from anything else, what are the teams within AWS who use the CDK doing?

Also, asking us to use the escape hatches without an example is a bit of an ask, reaching into the VPC to find the CFN objects for the public subnets and update them is not trivial.

For reference for those who need it, this is how I did things in Python:

        vpc = aws_ec2.Vpc(
            scope=self,
            id="Vpc",
            cidr="10.64.0.0/16",
            max_azs=3,
            nat_gateways=1,
            subnet_configuration=[
                aws_ec2.SubnetConfiguration(
                    cidr_mask=24,
                    name="Public",
                    subnet_type=aws_ec2.SubnetType.PUBLIC,
                ),
                aws_ec2.SubnetConfiguration(
                    cidr_mask=24,
                    name="Private",
                    subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_NAT,
                ),
            ],
        )

        public_subnets = [child for child in vpc.node.children if isinstance(child, aws_ec2.PublicSubnet)
]
        cfn_public_subnets = [subnet.node.default_child for subnet in public_subnets]
        for cfn_subnet in cfn_public_subnets:
            cfn_subnet.add_property_override('MapPublicIpOnLaunch', False)

MrArnoldPalmer · 2023-01-27T20:57:45Z

Definitely should be considered as part of #5927

5t111111 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 7, 2021

github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Oct 7, 2021

github-actions bot assigned njlynch Oct 7, 2021

njlynch added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2021

njlynch removed their assignment Oct 15, 2021

mayforblue mentioned this issue Nov 7, 2021

feat(aws-ec2): add mapPublicIpOnLaunch to disable auto-assign public IP to public subnets #17378

Closed

hguillermo mentioned this issue Nov 19, 2021

feat(ec2): explicit mapPublicIpOnLaunch configuration for public subnets #17346

Merged

MrArnoldPalmer added p2 and removed p1 labels Jan 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-ec2): Disabling auto-assign public IP to public subnets #16838

(aws-ec2): Disabling auto-assign public IP to public subnets #16838

5t111111 commented Oct 7, 2021

njlynch commented Oct 15, 2021

SamStephens commented Mar 6, 2022

MrArnoldPalmer commented Jan 27, 2023

(aws-ec2): Disabling auto-assign public IP to public subnets #16838

(aws-ec2): Disabling auto-assign public IP to public subnets #16838

Comments

5t111111 commented Oct 7, 2021

Description

Use Case

Proposed Solution

Other information

Acknowledge

njlynch commented Oct 15, 2021

SamStephens commented Mar 6, 2022

MrArnoldPalmer commented Jan 27, 2023