When using public IP addresses in AWS, it is a good idea to regularly monitor and audit them. This can be cumbersome as IPs can be assigned to a wide range of services across multiple accounts. Whether using a stand-alone account or an Organization, AWS provides a tool to monitor all public IP addresses. This process below assumes you are using an AWS Organization. If you are not and only have a stand-alone account, the process is the same except for choosing the delegated account and granting access to the other accounts.
Set up IPAM
Decide which account will be used to manage your IP addresses
Log into the Management account of your Organization.
In the AWS console, go to the Search bar at the top of the page and search for and select Amazon VPC IP Address Manager.
Under the Get Started section choose Settings.
Choose Delegate.
On the Delegate page, type in the account ID of the account that will manage the IP addresses and click Save Changes.
- Note, you cannot use the Management account.
Once complete, log into the account delegated to manage the IP addresses.
In the AWS console, go to the Search bar at the top of the page and search for and select Amazon VPC IP Address Manager.
Under the Get Started section choose Create IPAM.
On the Create IPAM page, there are several options to configure.
- Allow data replication.
- Check the box to allow VPC IPAM to replicate data.
- IPAM tier
- The free tier offers basic IP management, including a list of all public IPs and their associated information.
- The advanced tier provides all management options at a price of $0.00027/hour per IP managed.
- IPAM settings
- Provide an optional Name.
- Provide an optional Description.
- Choose appropriate Operating Regions.
- Click Create IPAM.
Once configured, it will take some time for data to be populated.
Once the data has populated, return to the Amazon VPC IP Address Manager page to view the results. There are 4 sections under Monitoring provided. The most useful for monitoring public IPs will be the Public IP Insights section. This shows every public IP associated with the AWS account or Organization, along with valuable information about each.
Public IP types
Shows the count of each type of public IP.
- Service-managed IPs – IPs that are managed and maintained by AWS for backend resources, such as load balancers, RDS instances, VPN connections, etc.
- Amazon-owned EIPs – Elastic IPs.
- EC2 public IPs – Public IPs associated with EC2 instances.
- BYOIP – IP addresses that are owned by the customer and imported into AWS.
- Service managed BYOIP – BYOIP addresses used by AWS for managed resources.
- Amazon-owned contiguous EIPs – AWS-owned IPs that are in the same CIDR range. These must be provisioned via Pools under the Planning section and associated with a resource.
EIP Usage
Shows whether each Elastic IP (EIP) is associated with an AWS resource.
Accounts by Total Public IPs
Shows how many public IPs are in use per account.
Regions by Total Public IPs
Shows how many public IPs are in user per region.
Public IP Addresses
A list of all public IP addresses.
Helpful Tips and Best Practices.
1. If you see any EIPs that are unassociated, verify they are still needed for another purpose. If not, remove them. Every EIP has a cost, whether associated or not.
2. If there are any EC2 public IPs shown, determine if the instances need access from the internet. If any do, remove the EIP and place any EC2 instances behind a load balancer. This will provide extra security, as only the load balancer will then have a public interface (Service-managed IP). If it does not, simply remove the EIP from the network interface attached to the instance (be sure to then also delete it from the Elastic IP setting to avoid being charged.)
3. Verify each service-managed IP is attached to a resource that is in use. If not, remove that resource and the IP address will also be deleted.
4. Monitor public IP changes with CloudTrail. CloudTrail logs every API call made in AWS (every action whether done through CLI or the UI makes an API call behind the scenes). Once the relevant calls have been determined, it is possible to send out alerts (email\sms\etc.) any time that an API call is made. For example, to be sent an email when any new EIP is allocated use the AllocateAddress event to build an alert system using EventBridge & SNS.
For more information or any questions, please reach out to us or check out our AWS Cloud Services.