runbooks 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl

runbooks/remediation/ec2_remediation.py

@@ -0,0 +1,892 @@
+"""
+Enterprise EC2 Security Remediation - Production-Ready Infrastructure Security Automation
+
+## Overview
+
+This module provides comprehensive EC2 security remediation capabilities, consolidating
+and enhancing 4 original EC2 security scripts into a single enterprise-grade module.
+Designed for automated compliance with CIS AWS Foundations, NIST Cybersecurity Framework,
+and infrastructure security best practices.
+
+## Original Scripts Enhanced
+
+Migrated and enhanced from these original remediation scripts:
+- ec2_unattached_ebs_volumes.py - EBS volume cleanup and management
+- ec2_unused_security_groups.py - Security group lifecycle management
+- ec2_public_ips.py - Public IP auditing and management
+- ec2_subnet_disable_auto_ip_assignment.py - Subnet security configuration
+
+## Enterprise Enhancements
+
+- **Multi-Account Support**: Bulk operations across AWS Organizations
+- **Safety Features**: Comprehensive backup, rollback, and dry-run capabilities
+- **Compliance Mapping**: Direct mapping to CIS, NIST, and security frameworks
+- **CloudTrail Integration**: Enhanced tracking with CloudTrail event analysis
+- **Resource Dependency Analysis**: Smart cleanup with dependency checking
+
+## Compliance Framework Mapping
+
+### CIS AWS Foundations Benchmark
+- **CIS 4.1-4.2**: Security group hardening and unused resource cleanup
+- **CIS 4.3**: Subnet auto-assign public IP disabling
+
+### NIST Cybersecurity Framework
+- **SC-7**: Boundary Protection (security groups, public access)
+- **CM-8**: Information System Component Inventory (resource tracking)
+- **CM-6**: Configuration Settings (subnet configuration)
+
+## Example Usage
+
+```python
+from runbooks.remediation import EC2SecurityRemediation, RemediationContext
+
+# Initialize with enterprise configuration
+ec2_remediation = EC2SecurityRemediation(
+    profile="production",
+    backup_enabled=True,
+    dependency_check=True
+)
+
+# Execute comprehensive EC2 security cleanup
+results = ec2_remediation.cleanup_unused_resources(
+    context,
+    include_security_groups=True,
+    include_ebs_volumes=True
+)
+```
+
+Version: 0.7.6 - Enterprise Production Ready
+"""
+
+import datetime
+import json
+import os
+import time
+from typing import Any, Dict, List, Optional, Set
+
+import boto3
+from botocore.exceptions import BotoCoreError, ClientError
+from loguru import logger
+
+from runbooks.remediation.base import (
+    BaseRemediation,
+    ComplianceMapping,
+    RemediationContext,
+    RemediationResult,
+    RemediationStatus,
+)
+
+
+class EC2SecurityRemediation(BaseRemediation):
+    """
+    Enterprise EC2 Security Remediation Operations.
+
+    Provides comprehensive EC2 infrastructure security remediation including
+    security group hardening, EBS volume management, public IP auditing,
+    and subnet security configuration.
+
+    ## Key Features
+
+    - **Security Group Management**: Cleanup unused and hardening active groups
+    - **EBS Volume Lifecycle**: Unattached volume detection and cleanup
+    - **Public IP Auditing**: Comprehensive public access analysis
+    - **Subnet Security**: Auto-assign public IP configuration management
+    - **Dependency Analysis**: Smart resource cleanup with dependency checking
+    - **CloudTrail Integration**: Enhanced tracking and compliance evidence
+
+    ## Example Usage
+
+    ```python
+    from runbooks.remediation import EC2SecurityRemediation, RemediationContext
+
+    # Initialize with enterprise configuration
+    ec2_remediation = EC2SecurityRemediation(
+        profile="production",
+        backup_enabled=True,
+        cloudtrail_analysis=True
+    )
+
+    # Execute security group cleanup
+    results = ec2_remediation.cleanup_unused_security_groups(
+        context,
+        exclude_default=True,
+        dependency_check=True
+    )
+    ```
+    """
+
+    supported_operations = [
+        "cleanup_unused_security_groups",
+        "cleanup_unattached_ebs_volumes",
+        "audit_public_ips",
+        "disable_subnet_auto_public_ip",
+        "harden_security_groups",
+        "comprehensive_ec2_security",
+    ]
+
+    def __init__(self, **kwargs):
+        """
+        Initialize EC2 security remediation with enterprise configuration.
+
+        Args:
+            **kwargs: Configuration parameters including profile, region, safety settings
+        """
+        super().__init__(**kwargs)
+
+        # EC2-specific configuration
+        self.cloudtrail_analysis = kwargs.get("cloudtrail_analysis", True)
+        self.dependency_check = kwargs.get("dependency_check", True)
+        self.max_age_days = kwargs.get("max_age_days", 30)
+        self.exclude_default_resources = kwargs.get("exclude_default_resources", True)
+
+        logger.info(f"EC2 Security Remediation initialized for profile: {self.profile}")
+
+    def _create_resource_backup(self, resource_id: str, backup_key: str, backup_type: str) -> str:
+        """
+        Create backup of EC2 resource configuration.
+
+        Args:
+            resource_id: EC2 resource identifier (volume, security group, etc.)
+            backup_key: Backup identifier
+            backup_type: Type of backup (volume_config, sg_config, etc.)
+
+        Returns:
+            Backup location identifier
+        """
+        try:
+            ec2_client = self.get_client("ec2")
+
+            # Create backup of current resource configuration
+            backup_data = {
+                "resource_id": resource_id,
+                "backup_key": backup_key,
+                "backup_type": backup_type,
+                "timestamp": backup_key.split("_")[-1],
+                "configurations": {},
+            }
+
+            if backup_type == "volume_config":
+                # Backup EBS volume configuration
+                response = self.execute_aws_call(ec2_client, "describe_volumes", VolumeIds=[resource_id])
+                backup_data["configurations"]["volume"] = response.get("Volumes", [])
+
+            elif backup_type == "sg_config":
+                # Backup security group configuration
+                response = self.execute_aws_call(ec2_client, "describe_security_groups", GroupIds=[resource_id])
+                backup_data["configurations"]["security_group"] = response.get("SecurityGroups", [])
+
+            elif backup_type == "subnet_config":
+                # Backup subnet configuration
+                response = self.execute_aws_call(ec2_client, "describe_subnets", SubnetIds=[resource_id])
+                backup_data["configurations"]["subnet"] = response.get("Subnets", [])
+
+            # Store backup (simplified for MVP - would use S3 in production)
+            backup_location = f"ec2-backup://{backup_key}.json"
+            logger.info(f"Backup created for EC2 resource {resource_id}: {backup_location}")
+
+            return backup_location
+
+        except Exception as e:
+            logger.error(f"Failed to create backup for EC2 resource {resource_id}: {e}")
+            raise
+
+    def execute_remediation(self, context: RemediationContext, **kwargs) -> List[RemediationResult]:
+        """
+        Execute EC2 security remediation operation.
+
+        Args:
+            context: Remediation execution context
+            **kwargs: Operation-specific parameters
+
+        Returns:
+            List of remediation results
+        """
+        operation_type = kwargs.get("operation_type", context.operation_type)
+
+        if operation_type == "cleanup_unused_security_groups":
+            return self.cleanup_unused_security_groups(context, **kwargs)
+        elif operation_type == "cleanup_unattached_ebs_volumes":
+            return self.cleanup_unattached_ebs_volumes(context, **kwargs)
+        elif operation_type == "audit_public_ips":
+            return self.audit_public_ips(context, **kwargs)
+        elif operation_type == "disable_subnet_auto_public_ip":
+            return self.disable_subnet_auto_public_ip(context, **kwargs)
+        elif operation_type == "comprehensive_ec2_security":
+            return self.comprehensive_ec2_security(context, **kwargs)
+        else:
+            raise ValueError(f"Unsupported EC2 remediation operation: {operation_type}")
+
+    def cleanup_unused_security_groups(
+        self, context: RemediationContext, exclude_default: bool = True, **kwargs
+    ) -> List[RemediationResult]:
+        """
+        Cleanup unused security groups with dependency analysis.
+
+        Enhanced from original ec2_unused_security_groups.py with enterprise features:
+        - Comprehensive dependency checking (EC2, RDS, ELB, etc.)
+        - Backup creation before deletion
+        - Compliance evidence generation
+        - Smart filtering to avoid critical resource deletion
+
+        Args:
+            context: Remediation execution context
+            exclude_default: Skip default security groups
+            **kwargs: Additional parameters
+
+        Returns:
+            List of remediation results
+        """
+        result = self.create_remediation_result(context, "cleanup_unused_security_groups", "ec2:security-group", "all")
+
+        # Add compliance mapping
+        result.context.compliance_mapping = ComplianceMapping(
+            cis_controls=["CIS 4.1", "CIS 4.2"], nist_categories=["SC-7", "CM-8"], severity="medium"
+        )
+
+        try:
+            ec2_client = self.get_client("ec2", context.region)
+
+            # Get all security groups
+            all_security_groups = set()
+            used_security_groups = set()
+
+            sg_response = self.execute_aws_call(ec2_client, "describe_security_groups")
+
+            for sg in sg_response["SecurityGroups"]:
+                sg_id = sg["GroupId"]
+                sg_name = sg["GroupName"]
+
+                # Skip default security groups if requested
+                if exclude_default and sg_name == "default":
+                    logger.debug(f"Skipping default security group: {sg_id}")
+                    continue
+
+                all_security_groups.add(sg_id)
+
+            # Check EC2 instance usage
+            instances_response = self.execute_aws_call(ec2_client, "describe_instances")
+            for reservation in instances_response["Reservations"]:
+                for instance in reservation["Instances"]:
+                    for sg in instance.get("SecurityGroups", []):
+                        used_security_groups.add(sg["GroupId"])
+
+            # Check other AWS services that use security groups
+            if self.dependency_check:
+                # Check RDS instances
+                try:
+                    rds_client = self.get_client("rds", context.region)
+                    rds_response = self.execute_aws_call(rds_client, "describe_db_instances")
+                    for db_instance in rds_response["DBInstances"]:
+                        for sg in db_instance.get("VpcSecurityGroups", []):
+                            used_security_groups.add(sg["VpcSecurityGroupId"])
+                except Exception as e:
+                    logger.warning(f"Could not check RDS security group usage: {e}")
+
+                # Check ELB usage
+                try:
+                    elb_client = self.get_client("elbv2", context.region)
+                    elb_response = self.execute_aws_call(elb_client, "describe_load_balancers")
+                    for lb in elb_response["LoadBalancers"]:
+                        for sg_id in lb.get("SecurityGroups", []):
+                            used_security_groups.add(sg_id)
+                except Exception as e:
+                    logger.warning(f"Could not check ELB security group usage: {e}")
+
+            # Identify unused security groups
+            unused_security_groups = all_security_groups - used_security_groups
+
+            if context.dry_run:
+                logger.info(f"[DRY-RUN] Would delete {len(unused_security_groups)} unused security groups")
+                result.response_data = {
+                    "unused_security_groups": list(unused_security_groups),
+                    "total_checked": len(all_security_groups),
+                    "action": "dry_run",
+                }
+                result.mark_completed(RemediationStatus.DRY_RUN)
+                return [result]
+
+            # Delete unused security groups
+            deleted_groups = []
+            failed_deletions = []
+
+            for sg_id in unused_security_groups:
+                try:
+                    # Create backup if enabled
+                    if context.backup_enabled:
+                        backup_location = self.create_backup(context, sg_id, "sg_config")
+                        result.backup_locations[sg_id] = backup_location
+
+                    # Confirm deletion for destructive operation
+                    if not self.confirm_operation(context, sg_id, f"delete security group {sg_id}"):
+                        logger.info(f"Skipping deletion of security group {sg_id} - not confirmed")
+                        continue
+
+                    self.execute_aws_call(ec2_client, "delete_security_group", GroupId=sg_id)
+                    deleted_groups.append(sg_id)
+                    logger.info(f"Deleted unused security group: {sg_id}")
+
+                    # Add to affected resources
+                    result.affected_resources.append(f"ec2:security-group:{sg_id}")
+
+                except ClientError as e:
+                    error_msg = f"Failed to delete security group {sg_id}: {e}"
+                    logger.warning(error_msg)
+                    failed_deletions.append({"sg_id": sg_id, "error": str(e)})
+
+            result.response_data = {
+                "deleted_security_groups": deleted_groups,
+                "failed_deletions": failed_deletions,
+                "total_unused": len(unused_security_groups),
+                "total_deleted": len(deleted_groups),
+            }
+
+            # Add compliance evidence
+            result.add_compliance_evidence(
+                "cis_aws",
+                {
+                    "controls": ["4.1", "4.2"],
+                    "deleted_groups": len(deleted_groups),
+                    "security_posture_improved": len(deleted_groups) > 0,
+                    "remediation_timestamp": result.start_time.isoformat(),
+                },
+            )
+
+            if len(deleted_groups) == len(unused_security_groups):
+                result.mark_completed(RemediationStatus.SUCCESS)
+                logger.info(f"Successfully deleted {len(deleted_groups)} unused security groups")
+            else:
+                result.mark_completed(RemediationStatus.SUCCESS)  # Partial success
+                logger.warning(
+                    f"Partially completed: {len(deleted_groups)}/{len(unused_security_groups)} groups deleted"
+                )
+
+        except ClientError as e:
+            error_msg = f"Failed to cleanup security groups: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+        except Exception as e:
+            error_msg = f"Unexpected error during security group cleanup: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+
+        return [result]
+
+    def cleanup_unattached_ebs_volumes(
+        self, context: RemediationContext, max_age_days: Optional[int] = None, **kwargs
+    ) -> List[RemediationResult]:
+        """
+        Cleanup unattached EBS volumes with CloudTrail analysis.
+
+        Enhanced from original ec2_unattached_ebs_volumes.py with enterprise features:
+        - CloudTrail integration for last attachment time analysis
+        - Age-based filtering for safe cleanup
+        - Comprehensive backup before deletion
+        - Volume dependency and snapshot analysis
+
+        Args:
+            context: Remediation execution context
+            max_age_days: Only delete volumes unattached for this many days
+            **kwargs: Additional parameters
+
+        Returns:
+            List of remediation results
+        """
+        result = self.create_remediation_result(context, "cleanup_unattached_ebs_volumes", "ec2:volume", "all")
+
+        # Add compliance mapping
+        result.context.compliance_mapping = ComplianceMapping(
+            cis_controls=["CIS 1.20"], nist_categories=["CM-8", "CM-6"], severity="low"
+        )
+
+        max_age_days = max_age_days or self.max_age_days
+
+        try:
+            ec2_client = self.get_client("ec2", context.region)
+
+            # Get all unattached volumes
+            volumes_response = self.execute_aws_call(
+                ec2_client, "describe_volumes", Filters=[{"Name": "status", "Values": ["available"]}]
+            )
+
+            volumes_to_delete = []
+            volumes_data = []
+
+            for volume in volumes_response["Volumes"]:
+                volume_id = volume["VolumeId"]
+                volume_size = volume["Size"]
+                volume_type = volume["VolumeType"]
+                create_time = volume["CreateTime"]
+
+                # Enhanced CloudTrail analysis for last attachment time
+                last_attachment_time = None
+                if self.cloudtrail_analysis:
+                    last_attachment_time = self._get_last_volume_attachment_time(volume_id)
+
+                # Calculate age of unattachment
+                reference_time = last_attachment_time or create_time
+                age_days = (datetime.datetime.utcnow().replace(tzinfo=reference_time.tzinfo) - reference_time).days
+
+                volume_data = {
+                    "VolumeId": volume_id,
+                    "Size": volume_size,
+                    "VolumeType": volume_type,
+                    "CreateTime": create_time.isoformat(),
+                    "LastAttachmentTime": last_attachment_time.isoformat() if last_attachment_time else None,
+                    "AgeDays": age_days,
+                    "EligibleForDeletion": age_days >= max_age_days,
+                }
+                volumes_data.append(volume_data)
+
+                # Only delete volumes older than max_age_days
+                if age_days >= max_age_days:
+                    volumes_to_delete.append(volume_id)
+                    logger.info(f"Volume {volume_id} eligible for deletion (unattached for {age_days} days)")
+
+            if context.dry_run:
+                logger.info(f"[DRY-RUN] Would delete {len(volumes_to_delete)} unattached EBS volumes")
+                result.response_data = {
+                    "volumes_analysis": volumes_data,
+                    "eligible_for_deletion": len(volumes_to_delete),
+                    "action": "dry_run",
+                }
+                result.mark_completed(RemediationStatus.DRY_RUN)
+                return [result]
+
+            # Delete eligible volumes
+            deleted_volumes = []
+            failed_deletions = []
+
+            for volume_id in volumes_to_delete:
+                try:
+                    # Create backup if enabled (metadata backup)
+                    if context.backup_enabled:
+                        backup_location = self.create_backup(context, volume_id, "volume_config")
+                        result.backup_locations[volume_id] = backup_location
+
+                    # Confirm deletion for destructive operation
+                    if not self.confirm_operation(context, volume_id, f"delete EBS volume {volume_id}"):
+                        logger.info(f"Skipping deletion of volume {volume_id} - not confirmed")
+                        continue
+
+                    self.execute_aws_call(ec2_client, "delete_volume", VolumeId=volume_id)
+                    deleted_volumes.append(volume_id)
+                    logger.info(f"Deleted unattached EBS volume: {volume_id}")
+
+                    # Add to affected resources
+                    result.affected_resources.append(f"ec2:volume:{volume_id}")
+
+                except ClientError as e:
+                    error_msg = f"Failed to delete volume {volume_id}: {e}"
+                    logger.warning(error_msg)
+                    failed_deletions.append({"volume_id": volume_id, "error": str(e)})
+
+            result.response_data = {
+                "volumes_analysis": volumes_data,
+                "deleted_volumes": deleted_volumes,
+                "failed_deletions": failed_deletions,
+                "total_eligible": len(volumes_to_delete),
+                "total_deleted": len(deleted_volumes),
+            }
+
+            # Add compliance evidence
+            result.add_compliance_evidence(
+                "cis_aws",
+                {
+                    "controls": ["1.20"],
+                    "deleted_volumes": len(deleted_volumes),
+                    "cost_optimization": True,
+                    "remediation_timestamp": result.start_time.isoformat(),
+                },
+            )
+
+            if len(deleted_volumes) == len(volumes_to_delete):
+                result.mark_completed(RemediationStatus.SUCCESS)
+                logger.info(f"Successfully deleted {len(deleted_volumes)} unattached EBS volumes")
+            else:
+                result.mark_completed(RemediationStatus.SUCCESS)  # Partial success
+                logger.warning(f"Partially completed: {len(deleted_volumes)}/{len(volumes_to_delete)} volumes deleted")
+
+        except ClientError as e:
+            error_msg = f"Failed to cleanup EBS volumes: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+        except Exception as e:
+            error_msg = f"Unexpected error during EBS volume cleanup: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+
+        return [result]
+
+    def _get_last_volume_attachment_time(self, volume_id: str) -> Optional[datetime.datetime]:
+        """
+        Get last attachment time for EBS volume from CloudTrail.
+
+        Enhanced from original function with better error handling and pagination.
+
+        Args:
+            volume_id: EBS volume ID
+
+        Returns:
+            Last attachment time or None
+        """
+        try:
+            cloudtrail_client = self.get_client("cloudtrail")
+
+            # Look back up to a year for attachment events
+            start_time = datetime.datetime.utcnow() - datetime.timedelta(days=365)
+
+            response = self.execute_aws_call(
+                cloudtrail_client,
+                "lookup_events",
+                LookupAttributes=[{"AttributeKey": "ResourceName", "AttributeValue": volume_id}],
+                MaxResults=50,  # Get more events for better analysis
+                StartTime=start_time,
+            )
+
+            # Find the most recent AttachVolume event
+            for event in response.get("Events", []):
+                if event["EventName"] == "AttachVolume":
+                    return event["EventTime"]
+
+            return None
+
+        except Exception as e:
+            logger.warning(f"Could not retrieve CloudTrail data for volume {volume_id}: {e}")
+            return None
+
+    def audit_public_ips(self, context: RemediationContext, **kwargs) -> List[RemediationResult]:
+        """
+        Comprehensive public IP auditing and analysis.
+
+        Enhanced from original ec2_public_ips.py with enterprise features:
+        - VPC public configuration analysis
+        - Network interface comprehensive scanning
+        - Security posture assessment
+        - Compliance reporting for public access
+
+        Args:
+            context: Remediation execution context
+            **kwargs: Additional parameters
+
+        Returns:
+            List of remediation results
+        """
+        result = self.create_remediation_result(context, "audit_public_ips", "ec2:instance", "all")
+
+        # Add compliance mapping
+        result.context.compliance_mapping = ComplianceMapping(
+            cis_controls=["CIS 4.1"], nist_categories=["SC-7"], severity="high"
+        )
+
+        try:
+            ec2_client = self.get_client("ec2", context.region)
+
+            public_access_analysis = []
+            total_instances = 0
+            instances_with_public_access = 0
+
+            # Get all instances
+            instances_response = self.execute_aws_call(ec2_client, "describe_instances")
+
+            for reservation in instances_response["Reservations"]:
+                for instance in reservation["Instances"]:
+                    total_instances += 1
+                    instance_id = instance["InstanceId"]
+                    vpc_id = instance["VpcId"]
+
+                    # Get public IPs for this instance
+                    public_ips = self._get_instance_public_ips(instance)
+
+                    # Check if VPC has public access capability
+                    vpc_is_public = self._is_vpc_public(vpc_id)
+
+                    instance_analysis = {
+                        "InstanceId": instance_id,
+                        "VpcId": vpc_id,
+                        "PublicIPs": public_ips,
+                        "HasPublicAccess": len(public_ips) > 0,
+                        "VpcIsPublic": vpc_is_public,
+                        "SecurityGroups": [sg["GroupId"] for sg in instance.get("SecurityGroups", [])],
+                        "SubnetId": instance.get("SubnetId"),
+                        "State": instance.get("State", {}).get("Name", "unknown"),
+                    }
+
+                    if len(public_ips) > 0:
+                        instances_with_public_access += 1
+                        logger.info(f"Instance {instance_id} has public access: {public_ips}")
+
+                    public_access_analysis.append(instance_analysis)
+
+            # Generate security posture assessment
+            security_posture = {
+                "total_instances": total_instances,
+                "instances_with_public_access": instances_with_public_access,
+                "public_access_percentage": (instances_with_public_access / total_instances * 100)
+                if total_instances > 0
+                else 0,
+                "security_risk_level": "HIGH"
+                if instances_with_public_access > total_instances * 0.3
+                else "MEDIUM"
+                if instances_with_public_access > 0
+                else "LOW",
+            }
+
+            result.response_data = {
+                "public_access_analysis": public_access_analysis,
+                "security_posture": security_posture,
+                "audit_timestamp": datetime.datetime.utcnow().isoformat(),
+            }
+
+            # Add compliance evidence
+            result.add_compliance_evidence(
+                "cis_aws",
+                {
+                    "controls": ["4.1"],
+                    "instances_audited": total_instances,
+                    "public_access_instances": instances_with_public_access,
+                    "security_risk_level": security_posture["security_risk_level"],
+                    "remediation_timestamp": result.start_time.isoformat(),
+                },
+            )
+
+            result.mark_completed(RemediationStatus.SUCCESS)
+            logger.info(
+                f"Public IP audit completed: {instances_with_public_access}/{total_instances} instances with public access"
+            )
+
+        except ClientError as e:
+            error_msg = f"Failed to audit public IPs: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+        except Exception as e:
+            error_msg = f"Unexpected error during public IP audit: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+
+        return [result]
+
+    def _get_instance_public_ips(self, instance: Dict[str, Any]) -> List[str]:
+        """
+        Get all public IP addresses for an EC2 instance.
+
+        Enhanced from original function with comprehensive network interface analysis.
+        """
+        public_ips = set()
+
+        # Check instance-level public IP and DNS
+        if instance.get("PublicIpAddress"):
+            public_ips.add(instance["PublicIpAddress"])
+        if instance.get("PublicDnsName"):
+            public_ips.add(instance["PublicDnsName"])
+
+        # Check network interfaces
+        for interface in instance.get("NetworkInterfaces", []):
+            if "Association" in interface:
+                if interface["Association"].get("PublicIp"):
+                    public_ips.add(interface["Association"]["PublicIp"])
+                if interface["Association"].get("PublicDnsName"):
+                    public_ips.add(interface["Association"]["PublicDnsName"])
+
+        return list(public_ips)
+
+    def _is_vpc_public(self, vpc_id: str) -> bool:
+        """
+        Check if VPC has public access capability.
+
+        Enhanced from original function with comprehensive gateway analysis.
+        """
+        try:
+            ec2_client = self.get_client("ec2")
+
+            # Check for internet gateway
+            igw_response = self.execute_aws_call(
+                ec2_client, "describe_internet_gateways", Filters=[{"Name": "attachment.vpc-id", "Values": [vpc_id]}]
+            )
+            has_internet_gateway = len(igw_response.get("InternetGateways", [])) > 0
+
+            # Check for NAT gateway
+            nat_response = self.execute_aws_call(
+                ec2_client, "describe_nat_gateways", Filters=[{"Name": "vpc-id", "Values": [vpc_id]}]
+            )
+            has_nat_gateway = len(nat_response.get("NatGateways", [])) > 0
+
+            return has_internet_gateway or has_nat_gateway
+
+        except Exception as e:
+            logger.warning(f"Could not determine VPC public status for {vpc_id}: {e}")
+            return False
+
+    def disable_subnet_auto_public_ip(
+        self, context: RemediationContext, subnet_ids: Optional[List[str]] = None, **kwargs
+    ) -> List[RemediationResult]:
+        """
+        Disable automatic public IP assignment on subnets.
+
+        Enhanced from original ec2_subnet_disable_auto_ip_assignment.py with enterprise features:
+        - Targeted subnet selection or auto-discovery
+        - Backup creation before modification
+        - Comprehensive subnet analysis and reporting
+        - VPC-wide configuration assessment
+
+        Args:
+            context: Remediation execution context
+            subnet_ids: Specific subnets to modify (auto-discovers if not provided)
+            **kwargs: Additional parameters
+
+        Returns:
+            List of remediation results
+        """
+        result = self.create_remediation_result(context, "disable_subnet_auto_public_ip", "ec2:subnet", "all")
+
+        # Add compliance mapping
+        result.context.compliance_mapping = ComplianceMapping(
+            cis_controls=["CIS 4.3"], nist_categories=["SC-7", "CM-6"], severity="high"
+        )
+
+        try:
+            ec2_client = self.get_client("ec2", context.region)
+
+            # Discover subnets with auto-assign public IP enabled if not specified
+            if subnet_ids:
+                subnets_response = self.execute_aws_call(ec2_client, "describe_subnets", SubnetIds=subnet_ids)
+                target_subnets = [s for s in subnets_response["Subnets"] if s.get("MapPublicIpOnLaunch", False)]
+            else:
+                subnets_response = self.execute_aws_call(
+                    ec2_client, "describe_subnets", Filters=[{"Name": "mapPublicIpOnLaunch", "Values": ["true"]}]
+                )
+                target_subnets = subnets_response["Subnets"]
+
+            if context.dry_run:
+                logger.info(f"[DRY-RUN] Would disable auto-assign public IP on {len(target_subnets)} subnets")
+                result.response_data = {"target_subnets": [s["SubnetId"] for s in target_subnets], "action": "dry_run"}
+                result.mark_completed(RemediationStatus.DRY_RUN)
+                return [result]
+
+            # Modify subnet configurations
+            modified_subnets = []
+            failed_modifications = []
+
+            for subnet in target_subnets:
+                subnet_id = subnet["SubnetId"]
+
+                try:
+                    # Create backup if enabled
+                    if context.backup_enabled:
+                        backup_location = self.create_backup(context, subnet_id, "subnet_config")
+                        result.backup_locations[subnet_id] = backup_location
+
+                    # Modify subnet attribute
+                    self.execute_aws_call(
+                        ec2_client, "modify_subnet_attribute", SubnetId=subnet_id, MapPublicIpOnLaunch={"Value": False}
+                    )
+
+                    modified_subnets.append(subnet_id)
+                    logger.info(f"Disabled auto-assign public IP on subnet: {subnet_id}")
+
+                    # Add to affected resources
+                    result.affected_resources.append(f"ec2:subnet:{subnet_id}")
+
+                except ClientError as e:
+                    error_msg = f"Failed to modify subnet {subnet_id}: {e}"
+                    logger.warning(error_msg)
+                    failed_modifications.append({"subnet_id": subnet_id, "error": str(e)})
+
+            result.response_data = {
+                "modified_subnets": modified_subnets,
+                "failed_modifications": failed_modifications,
+                "total_target_subnets": len(target_subnets),
+                "total_modified": len(modified_subnets),
+            }
+
+            # Add compliance evidence
+            result.add_compliance_evidence(
+                "cis_aws",
+                {
+                    "controls": ["4.3"],
+                    "subnets_hardened": len(modified_subnets),
+                    "network_security_improved": len(modified_subnets) > 0,
+                    "remediation_timestamp": result.start_time.isoformat(),
+                },
+            )
+
+            if len(modified_subnets) == len(target_subnets):
+                result.mark_completed(RemediationStatus.SUCCESS)
+                logger.info(f"Successfully disabled auto-assign public IP on {len(modified_subnets)} subnets")
+            else:
+                result.mark_completed(RemediationStatus.SUCCESS)  # Partial success
+                logger.warning(f"Partially completed: {len(modified_subnets)}/{len(target_subnets)} subnets modified")
+
+        except ClientError as e:
+            error_msg = f"Failed to disable subnet auto-assign public IP: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+        except Exception as e:
+            error_msg = f"Unexpected error during subnet configuration: {e}"
+            logger.error(error_msg)
+            result.mark_completed(RemediationStatus.FAILED, error_msg)
+
+        return [result]
+
+    def comprehensive_ec2_security(self, context: RemediationContext, **kwargs) -> List[RemediationResult]:
+        """
+        Apply comprehensive EC2 security configuration.
+
+        Combines multiple security operations for complete infrastructure hardening:
+        - Cleanup unused security groups
+        - Cleanup unattached EBS volumes
+        - Disable subnet auto-assign public IP
+        - Generate comprehensive security audit
+
+        Args:
+            context: Remediation execution context
+            **kwargs: Additional parameters
+
+        Returns:
+            List of remediation results from all operations
+        """
+        logger.info("Starting comprehensive EC2 security remediation")
+
+        all_results = []
+
+        # Execute all security operations
+        security_operations = [
+            ("cleanup_unused_security_groups", self.cleanup_unused_security_groups),
+            ("cleanup_unattached_ebs_volumes", self.cleanup_unattached_ebs_volumes),
+            ("disable_subnet_auto_public_ip", self.disable_subnet_auto_public_ip),
+            ("audit_public_ips", self.audit_public_ips),
+        ]
+
+        for operation_name, operation_method in security_operations:
+            try:
+                logger.info(f"Executing {operation_name}")
+                operation_results = operation_method(context, **kwargs)
+                all_results.extend(operation_results)
+
+                # Check if operation failed and handle accordingly
+                if any(r.failed for r in operation_results):
+                    logger.warning(f"Operation {operation_name} failed")
+                    if kwargs.get("fail_fast", False):
+                        break
+
+            except Exception as e:
+                logger.error(f"Error in {operation_name}: {e}")
+                # Create error result
+                error_result = self.create_remediation_result(
+                    context, operation_name, "ec2:infrastructure", "comprehensive"
+                )
+                error_result.mark_completed(RemediationStatus.FAILED, str(e))
+                all_results.append(error_result)
+
+                if kwargs.get("fail_fast", False):
+                    break
+
+        # Generate comprehensive summary
+        successful_operations = [r for r in all_results if r.success]
+        failed_operations = [r for r in all_results if r.failed]
+
+        logger.info(
+            f"Comprehensive EC2 security remediation completed: "
+            f"{len(successful_operations)} successful, {len(failed_operations)} failed"
+        )
+
+        return all_results