Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unassociated Elastic IP Addresses

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-024

Check for unattached Amazon Elastic IP (EIP) addresses within your AWS cloud account and release (remove) them in order to lower the cost of your AWS bill.

This rule can help you with the following compliance standards:

  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Amazon Web Services enforce a small hourly charge if an Elastic IP address within your cloud account is not associated with a running Amazon EC2 instance or an Elastic Network Interface (ENI). Trend Cloud One™ – Conformity recommends releasing any unassociated EIPs that are no longer needed to reduce your AWS cloud costs.


Audit

To identify unattached Elastic IPs currently available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, select Elastic IPs.

04 Select the Elastic IP (EIP) address that you want to examine.

05 Choose the Summary tab from the console bottom panel and check the Association ID configuration attribute value. If the Association ID attribute has no value, the selected Elastic IP address is not associated with an Amazon EC2 instance or Elastic Network Interface (ENI), therefore the EIP can be reviewed and released.

06 Repeat steps no. 4 and 5 for each Elastic IP allocated in the selected AWS cloud region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) with custom query filters to list the Elastic IP addresses available in the selected AWS cloud region:

aws ec2 describe-addresses
  --region us-east-1
  --output table
  --query 'Addresses[*].PublicIp'

02 The command output should return a table with the requested IP addresses:

-------------------
|DescribeAddresses|
+-----------------+
|    10.0.0.5     |
|    10.0.0.8     |
+-----------------+

03 Run describe-addresses command (OSX/Linux/UNIX) using the ID of the Elastic IP (EIP) address that you want to examine as the identifier parameter and custom query filters to describe the association ID of the selected EIP with an EC2 instance or Elastic Network Interface:

aws ec2 describe-addresses
  --region us-east-1
  --public-ips 10.0.0.5
  --query 'Addresses[*].AssociationId'

04 The command output should return the requested association ID:

[]

If the describe-instances command output returns an empty array (i.e. []), as shown in the example above, the selected Elastic IP address is not currently associated with an Amazon EC2 instance or Elastic Network Interface (ENI), therefore the EIP can be reviewed and released.

05 Repeat steps no. 3 and 4 for each Elastic IP provisioned in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To release (remove) any unassociated Elastic IP (EIP) address from your AWS cloud account, perform the following operations:

(!) IMPORTANT: Once released, you can't reuse the Elastic IP again so make sure to update any DNS records that communicate with the selected EIP before removing it.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, select Elastic IPs.

04 Select the unassociated Elastic IP (EIP) address that you want to release, choose Actions, and select Release Elastic IP addresses.

05 In the Release Elastic IP addresses confirmation box, review the EIP resource details, then choose Release to remove the Elastic IP address from your AWS cloud account.

06 Repeat steps no. 4 and 5 for each Elastic IP that you want to remove, available within the current AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) using the ID of the unassociated Elastic IP (EIP) address that you want to release as the identifier parameter, to describe the allocation ID of the selected EIP resource:

aws ec2 describe-addresses
  --region us-east-1
  --public-ips 10.0.0.5
  --query 'Addresses[*].AllocationId'

02 The command output should return the requested allocation ID:

[
	"eipalloc-0abcd1234abcd1234"
]

03 Run release-address command (OSX/Linux/UNIX) using the allocation ID returned at the previous step as the identifier parameter, to remove (release) the selected Elastic IP address from your AWS cloud account (if successful, the command does not produce an output):

aws ec2 release-address
  --allocation-id eipalloc-0abcd1234abcd1234

04 Repeat steps no. 1 – 3 for each Elastic IP that you want to remove, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 6, 2016