Profile Applicability:
Level 2
Description:
Static IPs, such as Elastic IPs in AWS, are IP addresses that remain fixed and can be manually associated with instances, enabling consistent access. However, if these static IPs are allocated but not attached to any instance, they incur costs and may pose a security risk if not properly managed. It's important to identify and release any unused static IPs to avoid unnecessary charges and to maintain a clean and efficient cloud environment.
Rationale:
When static IPs are allocated but not attached to instances, they can lead to unnecessary costs. Cloud providers typically charge for unused static IPs, so keeping track of allocated but unassigned IPs is crucial for cost optimization. In addition, managing unused IPs helps reduce the risk of accidental exposure, ensuring better security and resource management.
Impact:
Pros:
Identifies unused resources, reducing unnecessary costs.
Helps maintain a secure environment by ensuring that unused IPs are not left open or exposed.
Improves overall cloud resource management and efficiency.
Cons:
Requires regular monitoring and clean-up to identify unused static IPs.
Potential disruption if a static IP is released but later needed.
Default Value:
Static IPs are typically allocated when needed, but may not automatically be associated with an instance. It's up to the user or administrator to ensure they are either attached or released when no longer necessary.
Pre-requisites:
AWS IAM permissions (if using cloud services like AWS, GCP, or Azure):
ec2:DescribeAddresses
ec2:ReleaseAddressAccess to cloud provider's console or CLI tools for managing IP addresses.
Regular monitoring and auditing to identify unused static IPs.
Remediation:
Test Plan:
Using AWS Console :
Sign in to the AWS Management Console.
Navigate to EC2 and select Elastic IPs from the left-hand menu.
Review the list of allocated Elastic IPs.
Check if any Elastic IPs are not associated with any instance. The Instance ID field should be empty for unused IPs.
If there are any unused Elastic IPs, select them and release the IPs to stop incurring charges.
To release an IP, select the IP and click Actions > Release Elastic IP address.
Using AWS CLI :
List all Elastic IPs:
aws ec2 describe-addresses --query "Addresses[*].PublicIp"
Check if any IP addresses are not associated with any instance. The InstanceId field should be empty for unused IPs.
For any unused Elastic IP, release it to stop incurring costs:
aws ec2 release-address --allocation-id <ALLOC_ID>
Implementation Plan:
Using AWS Console:
Navigate to EC2 and select Elastic IPs.
Identify any Elastic IPs that are not associated with an instance.
Select the unused IPs and click Actions > Release Elastic IP address to release them.
Ensure that no further Elastic IPs are left unused and incur unnecessary costs.
Using AWS CLI:
Run the describe-addresses command to list allocated Elastic IPs:
aws ec2 describe-addresses --query "Addresses[*].PublicIp"
If any IPs are not associated with instances, release them:
aws ec2 release-address --allocation-id <ALLOC_ID>
Backout Plan:
Using AWS Console:
If mistakenly released an Elastic IP, you can allocate a new one by clicking on Allocate new address in the Elastic IPs section and associating it with the desired instance.
If an Elastic IP is mistakenly associated with the wrong instance, you can disassociate it by selecting the IP and clicking on Disassociate.
Using AWS CLI:
To disassociate an Elastic IP from an instance:
aws ec2 disassociate-address --association-id <ASSOCIATION_ID>
To allocate a new Elastic IP and associate it with an instance:
aws ec2 allocate-address
Reference:
CIS Controls: