Rule: VPC EIPs should be associated with an EC2 instance or ENI
This rule ensures that VPC Elastic IPs are properly linked with an EC2 instance or Elastic Network Interface (ENI) for security.
| Rule | VPC EIPs should be associated with an EC2 instance or ENI |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description
This rule is designed to adhere to the NIST Cybersecurity Framework (CSF) version 1 guidelines. As per this rule, all Elastic IP Addresses (EIPs) within a Virtual Private Cloud (VPC) should be associated with either an EC2 instance or an Elastic Network Interface (ENI). This ensures proper control and visibility of the network resources within the VPC and enhances the overall security posture.
Remediation Steps
To remediate this issue, you will need to associate the unassigned EIPs with either an EC2 instance or an ENI within your VPC. Depending on your specific use case, you can follow the steps below to associate the EIP:
If you want to associate the EIP with an existing EC2 instance:
- 1.
Identify the unused EIPs within your VPC:
- Open the Amazon VPC management console.
- Navigate to the "Elastic IPs" section within the sidebar.
- Look for any unassociated EIPs.
- 2.
Choose an EC2 instance to associate the EIP with:
- Identify the EC2 instance within your VPC that requires additional IP addresses.
- Note down the instance ID.
- 3.
Associate the EIP with the EC2 instance:
- Select the unassociated EIP from the list.
- Click on the "Actions" dropdown menu and choose "Associate IP address".
- In the pop-up window, select the desired EC2 instance ID from the dropdown list.
- Click "Associate".
- 4.
Verify the association:
- Confirm that the EIP is now associated with the chosen EC2 instance.
- Verify the successful association by checking the "Elastic IPs" section or using the AWS CLI.
If you want to associate the EIP with a new EC2 instance or an ENI:
- 1.
Create a new EC2 instance or ENI within your VPC:
- Determine the configuration specifications required for the new resource (e.g., instance type, security groups, etc.).
- Use the AWS Management Console or AWS CLI to create a new EC2 instance or ENI.
- 2.
Associate the EIP with the newly created resource:
- Follow the same steps provided earlier for associating the EIP with an existing EC2 instance, but choose the newly created resource instead.
- 3.
Verify the association:
- Confirm that the EIP is now associated with the newly created resource.
- Validate the successful association by checking the "Elastic IPs" section or using the AWS CLI.
Troubleshooting Steps
In case you encounter any issues while performing the above remediation steps, consider the following troubleshooting steps:
- 1.
Incorrect EIP association:
- Ensure that you have selected the correct EIP to associate with the EC2 instance or ENI.
- Double-check the validity of the chosen resource's ID or ARN.
- 2.
Insufficient permissions:
- Verify that your AWS account has the necessary permissions to manipulate EC2 instances and EIPs.
- Ensure that your IAM user or role has the required permissions.
- 3.
Resource limits:
- Check if you have reached the limit for the number of EIPs or EC2 instances allowed in your AWS account.
- If you have reached any limits, you may need to request a limit increase from AWS Support.
- 4.
Networking issues:
- Validate that the EC2 instance or ENI is correctly configured with the appropriate network settings to enable EIP association.
- Confirm that the VPC configuration does not block or restrict EIP associations.
If the troubleshooting steps above do not resolve the issue, you may need to seek further assistance from AWS Support or consult relevant documentation for specific error messages encountered.