Config Rule for EIPs Attached to EC2 Instances Within VPC

Risk Level: Medium (should be achieved)

Ensure that a managed Config rule for AWS Elastic IPs (EIPs) attached to EC2 instances launched inside a VPC is created. Config service tracks changes within your AWS resources configuration and saves the recorded data for security and compliance audits. A managed Config rule is a predefined and customizable rule, provided by AWS, that Config utilizes to evaluate whether the specified resources comply with common security best practices.

Security

If you associate an Elastic IP (EIP) address with an EC2 instance, the public IP address attached to the instance is released. AWS Config can evaluate your EC2 instances configuration to ensure there are no publicly addressable IPs currently attached as this would breach the defense in depth model and affect various layers of security.

Audit

To determine if there is a managed Config rule that checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs, available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Choose the AWS Config rule that you want to examine, then click on the pencil (edit) icon available in the Edit rule column.

05 On the Configure rule page, check the Managed rule name configuration attribute value. The value of this attribute represents the name of the AWS Lambda function that evaluates whether your AWS resources (in this case Elastic IPs) comply with the rule. If the configuration attribute value is not "EIP_ATTACHED", the selected managed Config rule does not check whether all EIPs allocated to your VPC are attached to EC2 instances or active ENIs.

06 Repeat step no. 4 and 5 to verify each Config rule created in the selected AWS region. If none of the AWS Config rules available within the selected region have the Managed rule name attribute value set to "EIP_ATTACHED", there is no AWS managed Config rule that checks if your Elastic IPs are attached to EC2 instances or in-use ENIs, available in the selected AWS region.

07 Change the AWS region from the navigation bar and repeat steps no. 4 – 6 for other regions.

Using AWS CLI

01 Run describe-config-rules command (OSX/Linux/UNIX) using custom query filters to describe the configuration information of the managed Config rule that checks if all EIPs, available in the selected AWS region, are attached to EC2 resources (instances or ENIs):

aws configservice describe-config-rules
	--region us-east-1
	--query "ConfigRules[?Source.SourceIdentifier == 'EIP_ATTACHED']"

02 The command output should return the configuration details for the requested AWS Config rule:

[]

If the describe-config-rules command output returns an empty array (i.e. []), as shown in the example above, there is no managed Config rule that checks if your Elastic IPs are attached to EC2 instances or active ENIs, available in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

Remediation / Resolution

To create a managed AWS Config rule that regularly checks if all EIP addresses allocated to your VPC are attached to EC2 instances or in-use ENIs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Click Add rule button from the dashboard top menu to start the rule setup process.

05 Inside Filter by rule name, label or description box, type eip-attached and press Enter.

06 Click on the predefined AWS Config rule returned to review its configuration parameters without changing any settings. Once reviewed, click Save to instantiate the predefined rule and return to the AWS Config dashboard. The Config service will start now to evaluate the AWS resources against the new rule. After the evaluation completes, the Compliance status of the rule should change according to the evaluation results.

07 Change the AWS region from the navigation bar and repeat steps no. 4 – 6 if you need to create the "eip-attached" managed Config rule in other AWS region.

Using AWS CLI

01 Define the configuration for the managed Config rule that checks if all your EIPs are associated with EC2 instances or in-use ENIs. Save the configuration information described below to a JSON document named cc-config-rule-for-attached-eips.json. The following configuration is used to create a managed rule named "eip-attached", based on a predefined Lambda function named "EIP_ATTACHED":

{
    "ConfigRuleName": "eip-attached",
    "Description": "Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs.",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "EIP_ATTACHED"
    },
    "Scope": {
        "ComplianceResourceTypes": [ "AWS::EC2::EIP" ]
    }
}

02 Run put-config-rule command (OSX/Linux/UNIX) using the configuration file defined at the previous step to create the required managed Config rule in the selected AWS region (the command does not produce an output):

aws configservice put-config-rule
	--region us-east-1
	--config-rule file://cc-config-rule-for-attached-eips.json

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 if you need to create this managed AWS Config rule in other AWS region.

References

AWS Command Line Interface (CLI) Documentation
configservice
describe-config-rules
put-config-rule

Publication date Mar 28, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudWatchLogs rules