Rule: VPC EIPs Should be Associated with an EC2 Instance or ENI
This rule ensures that VPC Elastic IPs are properly associated to EC2 instances or Elastic Network Interfaces.
| Rule | VPC EIPs should be associated with an EC2 instance or ENI |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
VPC Elastic IP addresses (EIPs) should be associated with an EC2 instance or Elastic Network Interface (ENI) to ensure proper network connectivity and resource management within the VPC environment. This rule helps to maintain a secure and operational infrastructure for CISA-cyber-essentials compliance.
Troubleshooting Steps:
- 1.
Identify unassociated EIPs:
- List all available EIPs within the VPC.
- Identify any EIPs that are not associated with an EC2 instance or ENI.
- 2.
Determine the reason for unassociation:
- Check if any EC2 instances or ENIs were recently terminated or detached.
- Verify if the EIPs are still needed or can be released.
- 3.
Associate EIPs with correct resources:
- Review the architecture and requirements for the VPC.
- Determine the appropriate EC2 instance or ENI to associate with each EIP.
- 4.
Update EIP associations:
- Use appropriate AWS CLI commands or AWS Management Console to associate the EIPs with the identified EC2 instances or ENIs.
Code for CLI commands:
To retrieve the list of EIPs in the VPC:
aws ec2 describe-addresses --filters "Name=domain,Values=vpc"
To associate an EIP with an EC2 instance:
aws ec2 associate-address --allocation-id <allocation_id> --instance-id <instance_id>
To associate an EIP with an ENI:
aws ec2 associate-address --allocation-id <allocation_id> --network-interface-id <network_interface_id>
Step-by-Step Guide for Remediation:
- 1.
List all EIPs in the VPC by running the following command in the AWS CLI:
aws ec2 describe-addresses --filters "Name=domain,Values=vpc" - 2.
Identify any unassociated EIPs from the list. These are the EIPs that are not associated with any EC2 instance or ENI.
- 3.
Determine the reason for unassociation:
- Check if any EC2 instances or ENIs were recently terminated or detached.
- Verify if the EIPs are still needed or can be released.
- 4.
For each unassociated EIP:
- Check the VPC architecture and requirements to identify the appropriate EC2 instance or ENI for association.
- Use the AWS CLI or AWS Management Console to associate the EIP with the correct resource.
- 5.
To associate an EIP with an EC2 instance, run the following command:
aws ec2 associate-address --allocation-id <allocation_id> --instance-id <instance_id>Replace
with the ID of the unassociated EIP and<allocation_id>
with the ID of the EC2 instance.<instance_id> - 6.
To associate an EIP with an ENI, run the following command:
aws ec2 associate-address --allocation-id <allocation_id> --network-interface-id <network_interface_id>Replace
with the ID of the unassociated EIP and<allocation_id>
with the ID of the ENI.<network_interface_id> - 7.
Repeat steps 4-6 for all unassociated EIPs within the VPC.
By following these steps and associating all EIPs with appropriate resources, you will ensure compliance with the VPC Elastic IP association policy for CISA-cyber-essentials.