Profile Applicability:
Level 2

Description:
Static IP addresses (Elastic IPs in AWS, reserved IPs in other clouds) that are allocated but not attached to any running instance represent unused resources. These unattached IPs can incur unnecessary costs and increase the attack surface if left unmanaged. Identifying and releasing such unused static IPs helps optimize resource usage, reduce costs, and improve security hygiene by limiting unnecessary exposure.

Rationale:
Unused static IPs are billable resources in many cloud providers and can lead to unnecessary expenses. Moreover, unattached IPs may be vulnerable to hijacking or misuse if they are not monitored properly. Releasing or reassigning these IPs reduces costs and potential security risks.

Impact:
Pros:

  • Reduces cloud infrastructure costs by releasing unused IPs

  • Lowers attack surface by eliminating unassociated public IPs

  • Helps maintain clean and manageable cloud resource inventory

Cons:

  • Releasing IPs may affect planned future deployments if those IPs were reserved intentionally

  • Requires coordination to ensure IPs are not needed before release

Default Value:
Cloud providers do not automatically release allocated static IPs. These remain assigned to the account until manually released, regardless of attachment status.

Pre-requisites:

  • Appropriate cloud permissions to list, describe, and release static IP addresses (e.g., AWS ec2:DescribeAddresses, ec2:ReleaseAddress)

  • Access to cloud console or CLI tools

  • Knowledge of current infrastructure requirements to avoid accidentally releasing IPs in use

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 Dashboard.

  3. Select Elastic IPs from the left navigation pane.

  4. Review the list for Elastic IPs with Instance ID field empty or null — these are unattached IPs.

Using AWS CLI:

  1. List all Elastic IP addresses and their attachment status:
    aws ec2 describe-addresses --query "Addresses[?AssociationId==null].AllocationId"

  2. Verify that these IPs are not associated with any instance or network interface.

Implementation Plan:

Using AWS Console:

  1. In the EC2 Elastic IPs page, select the unattached Elastic IPs.

  2. Choose Actions > Release addresses.

  3. Confirm the release operation.

  4. Monitor billing and resource inventory to ensure cleanup.

Using AWS CLI:

  1. Release the unattached Elastic IP by running:
    aws ec2 release-address --allocation-id <ALLOCATION_ID>

  2. Verify release by listing addresses again:
    aws ec2 describe-addresses --query "Addresses[*].AllocationId"

Backout Plan:

Using AWS Console:

  1. If released IP is needed back, you will need to allocate a new Elastic IP or re-allocate the released IP if still available.

  2. Allocate new Elastic IP from EC2 > Elastic IPs > Allocate Elastic IP address.

  3. Attach the new IP to the required instance or interface.

Using AWS CLI:

  1. Allocate a new Elastic IP if needed:
    aws ec2 allocate-address

  2. Associate it to the instance or network interface:
    aws ec2 associate-address --instance-id <INSTANCE_ID> --allocation-id <NEW_ALLOCATION_ID>

References:

CIS Controls Mapping:

Version
Control ID
Control Description
7.1
4.3
Ensure cloud resources such as IP addresses are inventoried and unused ones released.