diff --git a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
index 57f36f11a7b0..d5f5a22f17c2 100755
--- a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
+++ b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
@@ -4,6 +4,11 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
+if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" != "true" ]]
+then
+	return
+fi
+
 export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
 
 function join_by { local IFS="$1"; shift; echo "$*"; }
diff --git a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
index 6356cff928ee..0489ab3d24b7 100644
--- a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
+++ b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
@@ -41,7 +41,7 @@ ref:
   - name: EDGE_NODE_WORKER_ASSIGN_PUBLIC_IP
     default: "no"
   - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
-    default: ""
+    default: "true"
     documentation: "Whether to use public only subnets. Implies no NAT gateways. Requires a VPC to be configured prior to install"
   - name: TF_LOG
     default: "INFO"
diff --git a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
index eb422b8c6b2c..3480dde5ac5b 100644
--- a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
+++ b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
@@ -56,7 +56,7 @@ ref:
     default: "false"
     documentation:  "Use AWS Spot Instances for *master* nodes. Set to 'true' to opt into spot instances. Explicitly set to 'false' to opt out. Leave unset for the default, which may change. Note that spot masters are only supported when installing with a) CAPI; or b) newer installer versions (see https://github.com/openshift/installer/pull/8349). A preflight check will fail if this variable is set to 'true' for an unsupported configuration."
   - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
-    default: ""
+    default: "true"
     documentation: "Whether to use only public subnets for AWS. Implies no NAT Gateways. Requires a VPC to be configured prior to install."
   dependencies:
   - name: "release:latest"
diff --git a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
index 7c772c2d6f15..4ccd1052e752 100644
--- a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
+++ b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
@@ -4,6 +4,7 @@ chain:
   - ref: ipi-install-rbac
   - ref: openshift-cluster-bot-rbac
   - ref: ipi-install-hosted-loki
+  - ref: ipi-conf-aws-publicsubnets 
   - ref: ipi-install-install
   - ref: ipi-install-times-collection
   - ref: nodes-readiness