Rule: VPC EIPs Should Be Associated with an EC2 Instance or ENI
This rule ensures that VPC Elastic IPs are properly associated to maintain network security.
| Rule | VPC EIPs should be associated with an EC2 instance or ENI |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
VPC Elastic IP (EIP) addresses should only be associated with EC2 instances or Elastic Network Interfaces (ENI) to comply with the NIST 800-171 Revision 2 security standard. An Elastic IP address is a static, public IPv4 address that can be associated with resources in your VPC. By ensuring that every EIP is connected to a valid EC2 instance or ENI, you mitigate the risk of unauthorized access and ensure proper security controls over your VPC.
Troubleshooting Steps:
If an EIP is found to be unassociated with any EC2 instance or ENI, here are the troubleshooting steps to rectify the issue:
- 1.
Identify unassociated EIPs:
- Go to the Amazon VPC Management Console.
- Select the desired VPC from the VPC dashboard.
- Click on "Elastic IPs" from the left-hand navigation pane.
- Identify any EIPs that are not associated with an EC2 instance or ENI.
- 2.
Determine the reason for unassociation:
- Review the EIPs' description or associated tags to identify any specific reason they are unassociated.
- 3.
Associate EIP with an EC2 instance or ENI:
- Select the unassociated EIP.
- Click on "Actions" and choose "Associate Elastic IP address".
- Choose the appropriate EC2 instance or ENI from the drop-down menu.
- Click on "Associate" to complete the association.
Necessary Codes:
There are no specific codes needed to enforce the association of VPC EIPs with EC2 instances or ENIs. However, you can use the AWS CLI (Command Line Interface) to automate the troubleshooting steps mentioned above.
To list unassociated EIPs using AWS CLI:
aws ec2 describe-addresses --filter "Name=instance-id, Values=[]"
To associate an EIP with an EC2 instance or ENI using AWS CLI:
aws ec2 associate-address --instance-id <instance-id> --public-ip <EIP-address>
Make sure to replace
<instance-id><EIP-address>Remediation Steps:
To ensure compliance with the VPC EIP association rule, follow these step-by-step guide for remediation:
- 1.
Identify unassociated EIPs:
- Access the AWS Management Console.
- Navigate to the Amazon VPC service.
- Select the appropriate VPC for assessment.
- 2.
Review unassociated EIPs:
- Click on "Elastic IPs" in the left-hand navigation pane.
- Make note of all unassociated EIPs.
- 3.
Associate EIPs with EC2 instances or ENIs:
- Select an unassociated EIP.
- Click on "Actions" and choose "Associate Elastic IP address".
- From the drop-down menu, select the EC2 instance or ENI you want to associate the EIP with.
- Confirm the association.
- 4.
Repeat the procedure for all other unassociated EIPs.
- 5.
Verify the association:
- Review the "Elastic IPs" page to ensure all EIPs are now associated with valid EC2 instances or ENIs.
By following these steps, you can ensure that all VPC EIPs are correctly associated with EC2 instances or ENIs, meeting the compliance requirement of NIST 800-171 Revision 2.