This rule ensures that VPC Elastic IPs are properly associated to EC2 instances or Elastic Network Interfaces.
Rule | VPC EIPs should be associated with an EC2 instance or ENI |
Framework | CISA-cyber-essentials |
Severity | ✔ High |
Rule Description:
VPC Elastic IP addresses (EIPs) should be associated with an EC2 instance or Elastic Network Interface (ENI) to ensure proper network connectivity and resource management within the VPC environment. This rule helps to maintain a secure and operational infrastructure for CISA-cyber-essentials compliance.
Troubleshooting Steps:
Identify unassociated EIPs:
Determine the reason for unassociation:
Associate EIPs with correct resources:
Update EIP associations:
Code for CLI commands:
To retrieve the list of EIPs in the VPC:
aws ec2 describe-addresses --filters "Name=domain,Values=vpc"
To associate an EIP with an EC2 instance:
aws ec2 associate-address --allocation-id <allocation_id> --instance-id <instance_id>
To associate an EIP with an ENI:
aws ec2 associate-address --allocation-id <allocation_id> --network-interface-id <network_interface_id>
Step-by-Step Guide for Remediation:
List all EIPs in the VPC by running the following command in the AWS CLI:
aws ec2 describe-addresses --filters "Name=domain,Values=vpc"
Identify any unassociated EIPs from the list. These are the EIPs that are not associated with any EC2 instance or ENI.
Determine the reason for unassociation:
For each unassociated EIP:
To associate an EIP with an EC2 instance, run the following command:
aws ec2 associate-address --allocation-id <allocation_id> --instance-id <instance_id>
Replace
<allocation_id>
with the ID of the unassociated EIP and <instance_id>
with the ID of the EC2 instance.To associate an EIP with an ENI, run the following command:
aws ec2 associate-address --allocation-id <allocation_id> --network-interface-id <network_interface_id>
Replace
<allocation_id>
with the ID of the unassociated EIP and <network_interface_id>
with the ID of the ENI.Repeat steps 4-6 for all unassociated EIPs within the VPC.
By following these steps and associating all EIPs with appropriate resources, you will ensure compliance with the VPC Elastic IP association policy for CISA-cyber-essentials.