Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Unassociated IP Addresses

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-024

Check for unattached Elastic IP (EIP) and Carrier IP addresses within your AWS cloud account and release (remove) them in order to lower the cost of your AWS bill. EIP addresses are static, public IPv4 addresses that you can allocate to your AWS account and associate with an EC2 instance or network interface. Carrier IP addresses are public IPv4 addresses specifically allocated to instances within AWS Wavelength Zones. These zones extend AWS infrastructure to the telecommunication carrier's network, enabling ultra-low latency applications.

This rule can help you with the following compliance standards:

  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Amazon Web Services (AWS) does charge for unassociated Elastic IP (EIP) addresses and Carrier IP addresses. To avoid unnecessary costs, it is strongly recommended to release (remove) any Elastic IP or Carrier IP addresses that are not actively associated with a running AWS cloud resource.

Audit

To identify unattached Elastic IP (EIP) addresses and Carrier IP addresses within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, select Elastic IPs.

04 Select the IP address (Elastic IP or Carrier IP) that you want to examine. The value in the Type column represents the category of the IP address. For an Elastic IP (EIP) address, this value will be Public IP, while for a Carrier IP address, it will be Carrier IP.

05 Select the Summary tab from the console bottom panel and check the Association ID attribute value. If the Association ID attribute has no value, the selected IP address is not associated with an Amazon EC2 instance or Elastic Network Interface (ENI). As a result, the IP address can be reviewed and released.

06 Repeat steps no. 4 and 5 for each IP address allocated in the selected AWS cloud region.

07 Change the AWS region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) with custom output filters to list the IP addresses (Elastic IPs or Carrier IPs) available in the selected AWS cloud region: 

aws ec2 describe-addresses
	--region us-east-1
	--query 'Addresses[].[PublicIp, CarrierIp][]'

02 The command output should return an array with the requested IP addresses: 

[
	"10.0.0.5",
	"10.0.0.9"
]

03 Run describe-addresses command (OSX/Linux/UNIX) with custom output filters to describe the association ID for the IP address (Elastic IP or Carrier IP) specified by the --public-ips parameter. An association ID represents the association of the IP address with an EC2 instance or Elastic Network Interface (ENI): 

aws ec2 describe-addresses
	--region us-east-1
	--public-ips 10.0.0.5
	--query 'Addresses[*].AssociationId'

04 The command output should return the requested association ID: 

[]

If the describe-instances command output returns an empty array (i.e., []), as shown in the example above, the selected IP address is not associated with an Amazon EC2 instance or Elastic Network Interface (ENI). As a result, the IP address can be reviewed and released.

05 Repeat steps no. 3 and 4 for each IP address provisioned in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To release (remove) any unassociated Elastic IP and Carrier IP addresses from your AWS cloud account, perform the following operations:

(!) IMPORTANT: Once released, you can't reuse the IP address again so make sure to update any DNS records that communicate with the selected IP before removing it.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, select Elastic IPs.

04 Select the IP address (Elastic IP or Carrier IP) that you want to release, choose Actions, and select Release Elastic IP addresses.

05 In the Release Elastic IP addresses confirmation box, review the IP resource details, then choose Release to remove the unassociated IP address from your AWS cloud account.

06 Repeat steps no. 4 and 5 for each IP address that you want to release, available within the selected AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) with custom output filters to describe the allocation ID for the IP address (Elastic IP or Carrier IP) specified by the --public-ips parameter. An allocation ID represents the allocation of the IP address: 

aws ec2 describe-addresses
	--region us-east-1
	--public-ips 10.0.0.5
	--query 'Addresses[*].AllocationId'

02 The command output should return the requested allocation ID: 

[
	"eipalloc-0abcd1234abcd1234"
]

03 Run release-address command (OSX/Linux/UNIX) to remove (release) the selected IP address from your AWS cloud account (if successful, the command does not produce an output): 

aws ec2 release-address
	--region us-east-1
	--allocation-id "eipalloc-0abcd1234abcd1234"

04 Repeat steps no. 1 – 3 for each IP address that you want to remove, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 6, 2016

Related EC2 rules