Amazon EC2

Elastic IP Limit Breach

This plugin detects if the number of allocated VPC EIPs (Elastic IP) is close to the AWS per-account limit.

Risk Level: Low

Description

This plugin detects if the number of allocated VPC EIPs (Elastic IP) is close to the AWS per-account limit. AWS has a limit on certain resources. Exceeding those limits could prevent them from launching.

Configuration Parameters

Elastic Ip Threshold: This parameter specifies the percentage limit of the number of Elastic IPs. An issue is created when the number of Elastic IPs exceed the provided threshold limit.

By default, the value is 90, therefore it will return a vulnerability alert when the number of EIPs will exceed 90% of the limit. 

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Elastic IP is a static, IPv4 address designed for dynamic cloud computing. In the event of failure of an instance, the Elastic IP address can be assigned to another instance for smooth functioning of the cloud infrastructure.

Impact

EIP stands for Elastic Internet Protocol. When an EC2 instance is created in AWS, it is automatically assigned a private and a public IP address. Public IP addresses are dynamic in nature. If the instance is restarted, it changes, which can make managing instances a cumbersome task.

Elastic IPs, on the other hand, are static and remain unaffected by instance failures/restarts. AWS provides limited EIPs per account. Exceeding these limits can prevent the launching of resources associated with exceeded EIPs, resulting in the breakdown of cloud infrastructure.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. From the left navigation pane, migrate to the Network & Security section and select Elastic IPs.
  4. This will display a list of EIPs owned by you. By default, AWS permits 5 EIPs per account. If the list contains more than the specified percentage of limit, it means the limit has been exceeded.
  5. Repeat steps 3 to 4 for all the AWS accounts you want to investigate. 

Steps for Remediation

Follow these steps to increase the VPC EIPs limit for your account:

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. From the top-right corner, click on Support and select Support Center from the drop-down menu.
  4. From the Open support cases section, click on Create case
  5. Click the radio button corresponding to the Service limit increase.
  6. From the Case Details section, set the Limit type to Elastic IPs. 
  7. Select the region, the limit type, and the new increased limit for Elastic IPs for the AWS account. Provide the description for the requests.
  8. Finally, select the contact option best suited and click on the Save button. 
Repeat steps 4 to 8 for all the vulnerable AWS Accounts.