Logo of Trend Micro

Unassociated Elastic IP Addresses

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-024

Check for any unattached Elastic IP (EIP) addresses in your AWS account and release (remove) them in order to lower the cost of your monthly AWS bill.

This rule can help you with the following compliance standards:

  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Cost
optimisation

Amazon Web Services enforce a small hourly charge if an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI). Cloud Conformity recommends releasing any unassociated EIPs that are no longer needed to reduce your AWS monthly costs.

Audit

To identify any unattached Elastic IPs currently available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, choose Elastic IPs.

04 ec2-select-unassociated-from-the-filter-dropdown-menu.png Select Unassociated from the Filter dropdown menu:

Select Unassociated from the Filter dropdown menu

to filter all the available EIPs and return the unattached ones. The filtering process should return the Elastic IPs that are not currently associated with any running EC2 instances or Elastic Network Interfaces (ENIs). The unattached EIPs returned at this step can be safely released (see Remediation/Resolution section).

05 Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

and repeat the process for the other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) to list all the Elastic IPs currently available in the selected region: 

aws ec2 describe-addresses
	--region us-east-1

02 The command output should return an array with all the EIPs available in the selected region and their metadata: 

{
    "Addresses": [
        {
            "Domain": "vpc",
            "InstanceId": "i-050dd70e11208d5ca",
            "NetworkInterfaceId": "eni-9540b8b3",
            "AssociationId": "eipassoc-94f98bee",
            "PublicIp": "50.17.142.10",
            "AllocationId": "eipalloc-961287ef",
            "PrivateIpAddress": "172.31.60.37"
        },
        {
            "PublicIp": "50.17.135.239",
            "Domain": "vpc",
            "AllocationId": "eipalloc-c264f1bb"
        },
        {
            "PublicIp": "23.23.0.76",
            "Domain": "vpc",
            "AllocationId": "eipalloc-a233a6db"
        }
    ]
}

The EIPs that are not returning the AssociationId parameter for their metadata (highlighted) are not currently associated with any EC2 instances or Elastic Network Interfaces (ENIs) and can be safely released.

03 Repeat step no. 1 and 2 to identify any unattached EIPs available in other AWS regions.

Remediation / Resolution

To release (remove) any unassociated Elastic IP (EIP) addresses available in your AWS account, perform the following:

(!) IMPORTANT: Once released, you cannot reuse the Elastic IP again so make sure to update any DNS records that communicate with the EIP before removing it.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, choose Elastic IPs.

04 Select Unassociated from the Filter dropdown menu:

Select Unassociated from the Filter dropdown menu

to filter the available EIPs and return the unattached ones.

05 Select the unassociated EIP(s) returned, click the Actions dropdown button from the dashboard top menu and select Release Address.

06 In the Release Address confirmation box, review the unattached EIP(s) listed and click Yes, Delete button to remove the selected EIP(s) from your AWS account.

07 Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

and repeat steps no. 4 - 6 to remove any unassociated EIPs within the other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) to list all the Elastic IPs currently available in the selected region: 

aws ec2 describe-addresses
	--region us-east-1

02 The command output should return an array with all the EIPs available in the selected region and their metadata: 

{
    "Addresses": [
        {
            "Domain": "vpc",
            "InstanceId": "i-050dd70e11208d5ca",
            "NetworkInterfaceId": "eni-9540b8b3",
            "AssociationId": "eipassoc-94f98bee",
            "NetworkInterfaceOwnerId": "123456789012",
            "PublicIp": "50.17.142.10",
            "AllocationId": "eipalloc-961287ef",
            "PrivateIpAddress": "172.31.60.37"
        },
        {
            "PublicIp": "50.17.135.239",
            "Domain": "vpc",
            "AllocationId": "eipalloc-c264f1bb"
        },
        {
            "PublicIp": "23.23.0.76",
            "Domain": "vpc",
            "AllocationId": "eipalloc-a233a6db"
        }
    ]
}

03 Run release-address command (OSX/Linux/UNIX) using the EIP allocation ID as identifier to release (delete) any unassociated Elastic IPs available in the selected region. To determine the allocation IDs for the unattached EIPs available just check the metadata returned at the previous step and use the AllocationId values (highlighted) for the EIPs that are not returning the AssociationId parameter as their metadata. If the command succeeds, no output is returned: 

aws ec2 release-address
	–-region us-east-1
	--allocation-id eipalloc-c264f1bb

04 Repeat step no. 3 to release (remove) any other unattached EIPs available in the selected region.

05 Repeat steps no. 1 – 3 to release any unattached EIPs available in other AWS regions.

References

Publication date Jun 6, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unassociated Elastic IP Addresses

Risk level: Low