This plugin determines if the number of allocated VPC EIPs is close to the AWS per-account limit
Risk Level: Low
Description
This plugin determines if the number of allocated VPC EIPs is close to the AWS per-account limit. AWS limits account to certain numbers of VPC Elastic IPs. Exceeding those limits could prevent resources from launching.
Configuration Parameters
Instance Limit Threshold: This parameter specifies the percentage limit of the number of VPC EIPs. An issue is created when the number of VPC EIPs exceeds the provided threshold limit.
By default, the value is 90, therefore it will return a vulnerability alert when the number of VPC EIPs will exceed 90% of the limit.
About the Service
Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.
Impact
In case, the number of IPs exceeds the current limit, new elastic IPs could not be allocated. This can be a blocker for scaling up your infrastructure. Therefore, it is recommended to initiate a request to increase the VPC Elastic IP limit for the EC2 instances.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in.
- Move to the Limits section from the left navigation pane.
- Search for EC2-VPC Elastic IPs and find the Current Limit for it.
- Now move to Elastic IPs from the Network and security section from the left navigation pane.
- You can find a number of elastic IPs. Verify if it has a VPC scope by first selecting the IP address by clicking on the checkbox next to it and then checking if its scope is VPC.
- If the number of IPs exceed the percentage, the vulnerability exists.
- Repeat steps for all the regions you want to investigate.
Steps for Remediation
Contact AWS support to increase the number of VPC IPs available.
- Log In to your AWS Console.
- Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in.
- Move to the Limits section from the left navigation pane.
- Search for EC2-VPC Elastic IPs and click on the radio button next to it to select it.
- Click on Request Limit increase from the top right corner. It will redirect you to the AWS Support page.
- Mention the Region and the use case for which you want to increase the limit and send the request. You will be contacted by the support team for further action.
- Repeat steps for other regions as well.