Config Rule for EIPs Attached to EC2 Instances Within VPC

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Choose the AWS Config rule that you want to examine, then click on the pencil (edit) icon available in the Edit rule column.

05 On the Configure rule page, check the Managed rule name configuration attribute value. The value of this attribute represents the name of the AWS Lambda function that evaluates whether your AWS resources (in this case Elastic IPs) comply with the rule. If the configuration attribute value is not "EIP_ATTACHED", the selected managed Config rule does not check whether all EIPs allocated to your VPC are attached to EC2 instances or active ENIs.

06 Repeat step no. 4 and 5 to verify each Config rule created in the selected AWS region. If none of the AWS Config rules available within the selected region have the Managed rule name attribute value set to "EIP_ATTACHED", there is no AWS managed Config rule that checks if your Elastic IPs are attached to EC2 instances or in-use ENIs, available in the selected AWS region.

07 Change the AWS region from the navigation bar and repeat steps no. 4 – 6 for other regions.

01 Run describe-config-rules command (OSX/Linux/UNIX) using custom query filters to describe the configuration information of the managed Config rule that checks if all EIPs, available in the selected AWS region, are attached to EC2 resources (instances or ENIs):

aws configservice describe-config-rules
	--region us-east-1
	--query "ConfigRules[?Source.SourceIdentifier == 'EIP_ATTACHED']"

02 The command output should return the configuration details for the requested AWS Config rule:

[]

03 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Click Add rule button from the dashboard top menu to start the rule setup process.

05 Inside Filter by rule name, label or description box, type eip-attached and press Enter.

06 Click on the predefined AWS Config rule returned to review its configuration parameters without changing any settings. Once reviewed, click Save to instantiate the predefined rule and return to the AWS Config dashboard. The Config service will start now to evaluate the AWS resources against the new rule. After the evaluation completes, the Compliance status of the rule should change according to the evaluation results.

07 Change the AWS region from the navigation bar and repeat steps no. 4 – 6 if you need to create the "eip-attached" managed Config rule in other AWS region.

01 Define the configuration for the managed Config rule that checks if all your EIPs are associated with EC2 instances or in-use ENIs. Save the configuration information described below to a JSON document named cc-config-rule-for-attached-eips.json. The following configuration is used to create a managed rule named "eip-attached", based on a predefined Lambda function named "EIP_ATTACHED":

{
    "ConfigRuleName": "eip-attached",
    "Description": "Checks whether all EIP addresses allocated to a VPC are attached to EC2 instances or in-use ENIs.",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "EIP_ATTACHED"
    },
    "Scope": {
        "ComplianceResourceTypes": [ "AWS::EC2::EIP" ]
    }
}

02 Run put-config-rule command (OSX/Linux/UNIX) using the configuration file defined at the previous step to create the required managed Config rule in the selected AWS region (the command does not produce an output):

aws configservice put-config-rule
	--region us-east-1
	--config-rule file://cc-config-rule-for-attached-eips.json

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 if you need to create this managed AWS Config rule in other AWS region.