Rule: VPC EIPs Should be Associated with an EC2 Instance or ENI
This rule ensures that VPC Elastic IPs are properly linked to EC2 instances or Elastic Network Interfaces.
| Rule | VPC EIPs should be associated with an EC2 instance or ENI |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Details:
According to CISA Cyber Essentials guidelines, elastic IP addresses (EIPs) in a Virtual Private Cloud (VPC) should always be associated with either an EC2 instance or an Elastic Network Interface (ENI).
EIPs are public IPv4 addresses that can be dynamically remapped to different instances if necessary. However, leaving EIPs unassociated or not properly associated with EC2 instances or ENIs may lead to security risks or misconfiguration issues.
Troubleshooting Steps (if applicable):
If you encounter any issues or alerts related to unassociated EIPs in your VPC, follow these troubleshooting steps:
- 1.
Identify Unassociated EIPs: Use the AWS Management Console, AWS CLI, or SDKs to identify any unassociated EIPs within your VPC.
- 2.
Verify the Purpose: Check the purpose or requirement for each unassociated EIP. Determine if it should be associated with a specific EC2 instance or ENI.
- 3.
Determine Root Cause: Identify the reason behind the unassociated status. It could be due to a manual disassociation, instance termination, or any other configuration error.
- 4.
Verify Availability: Ensure that the EC2 instance or ENI associated with the EIP is in the "available" state and not stopped, terminated, or experiencing any other issues.
- 5.
Associate EIP: If necessary, associate the unassociated EIP with the correct EC2 instance or ENI using AWS Management Console, AWS CLI, or SDKs.
Necessary Codes (if applicable):
If you need to use code to troubleshoot or perform the necessary actions, you can consider the following AWS CLI commands:
- 1.List all unassociated EIPs:
aws ec2 describe-addresses --filters Name=association-id,Values=null
- 1.Associate an EIP with an EC2 instance:
aws ec2 associate-address --instance-id <instance_id> --public-ip <eip_address>
- 1.Associate an EIP with an ENI:
aws ec2 associate-address --network-interface-id <eni_id> --public-ip <eip_address>
Step-by-Step Guide for Remediation:
To remediate the unassociated EIPs issue in your VPC, follow these steps:
- 1.Identify Unassociated EIPs:
- Use the AWS Management Console, AWS CLI, or SDKs to access the VPC service.
- Review the list of EIPs associated with your VPC and identify any unassociated EIPs.
- 2.Determine the Purpose of Unassociated EIPs:
- Determine if each unassociated EIP should be associated with an EC2 instance or an ENI.
- Check if the EIPs should be associated with existing resources or if new resources need to be created.
- 3.Verify the Availability of Associated Resources:
- Ensure that the EC2 instances or ENIs to be associated with the EIPs are in the "available" state.
- Check if there are any issues with the resources such as being stopped or terminated.
- Troubleshoot and resolve any issues preventing the association.
- 4.Associate Unassociated EIPs:
- Associate each unassociated EIP with the respective EC2 instance or ENI.
- Use the AWS Management Console, AWS CLI, or SDKs to perform the association.
- Repeat the association process for each unassociated EIP.
- 5.Validate EIP Association:
- Verify that the association process is successful.
- Use the AWS Management Console, AWS CLI, or SDKs to confirm the association.
- Check if the EIP is properly associated and working as intended.
- 6.Update Documentation:
- Document the actions taken to associate the EIPs and any other relevant information.
- Update your network configurations or diagrams to reflect the newly associated EIPs.
- 7.Monitor and Maintain:
- Implement regular monitoring and maintenance practices to ensure ongoing association and proper utilization of EIPs.
- Set up alerts or automated processes to detect any future unassociated EIPs and correct them promptly.