copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Allow setting `MapPublicIpOnLaunch` to false for public subnets

Open efekarakus opened this issue 3 years ago • 2 comments

Ask

For creating secure environments by default, clients might want to set the MapPublicIpOnLaunch field for public subnets to false.

Sample manifest

For example, a sample manifest might be:

name: test
type: Environment
network:
  vpc:
    subnets:
      public:
        ip_on_launch: false # default remains true.

efekarakus avatar Jul 05 '22 23:07 efekarakus

AWS security manager review flags subnets with auto-assigned public IP. AWS Doc. It may be worth disabling public IPs on subnets by default.

gautam-nutalapati avatar Jun 06 '23 16:06 gautam-nutalapati

Our VPC is managed inside a terraform, along with the subnets. We have auto-assign IP disabled on all subnets.

However, AWS Copilot has set AssignPublicIp: ENABLED inside the ECS Service's NetworkConfiguration definition. Meaning all our services, including private backend services get a public IP address assigned.

With the upcoming change to ipv4 address pricing February, I am not convinced this is sensible configuration.

craigjbass avatar Dec 05 '23 09:12 craigjbass