EC2 Elastic IP Address Listed in Shodan

Overview

This check identifies EC2 Elastic IP addresses that appear in Shodan, a search engine that indexes internet-connected devices. When your Elastic IP shows up in Shodan, it means the service has scanned and cataloged information about your infrastructure, including open ports, running services, and software versions.

Risk

Being indexed in Shodan exposes your infrastructure to potential attackers. The platform reveals:

• Open ports and services running on your IP address
• Software versions that may have known vulnerabilities
• Banner information that can help attackers fingerprint your systems
• Geolocation and ISP data about your infrastructure

Attackers actively use Shodan to find vulnerable targets. Once listed, your systems become easier to discover and may face increased reconnaissance, credential attacks, or exploitation of known vulnerabilities.

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to manage EC2 Elastic IP addresses. Specifically, you need the ec2:DescribeAddresses, ec2:DisassociateAddress, and ec2:ReleaseAddress permissions.

AWS Console Method

1. Open the EC2 Console

   • Sign in to the AWS Management Console
   • Make sure you are in the us-east-1 region (or the region where the flagged IP exists)

2. Navigate to Elastic IPs

   • In the left navigation pane, under Network & Security, click Elastic IPs

3. Identify the flagged Elastic IP

   • Locate the IP address that was flagged by Prowler
   • Note any associated resources (EC2 instance, NAT Gateway, etc.)

4. Choose a remediation approach

   Option A: Reduce exposure (recommended first step)

   • Keep the Elastic IP but harden your security posture:
     • Review and tighten Security Group rules (remove unnecessary open ports)
     • Ensure services are patched and running latest versions
     • Minimize information disclosed in service banners
     • Consider using a load balancer or CloudFront in front of your services

   Option B: Replace the Elastic IP

   • If the IP is heavily indexed or you want a fresh start:
     • If associated, click Actions then Disassociate Elastic IP address
     • Click Actions then Release Elastic IP address
     • Allocate a new Elastic IP and associate it with your resource
     • Update DNS records if applicable

   Option C: Move to private networking

   • For services that do not need direct public access:
     • Use AWS PrivateLink, VPN, or bastion hosts instead
     • Access services through internal networking

AWS CLI Method

List all Elastic IPs in your account:

aws ec2 describe-addresses \
    --region us-east-1 \
    --query 'Addresses[*].[PublicIp,AllocationId,AssociationId,InstanceId]' \
    --output table

Disassociate an Elastic IP (if attached to an instance):

aws ec2 disassociate-address \
    --region us-east-1 \
    --association-id <association-id>

Release (delete) an Elastic IP:

aws ec2 release-address \
    --region us-east-1 \
    --allocation-id <allocation-id>

Allocate a new Elastic IP:

aws ec2 allocate-address \
    --region us-east-1 \
    --domain vpc

Associate the new IP with an instance:

aws ec2 associate-address \
    --region us-east-1 \
    --instance-id <instance-id> \
    --allocation-id <new-allocation-id>

Security Hardening Steps

If you choose to keep the Elastic IP, take these steps to reduce your attack surface:

1. Review Security Groups

Check which ports are open to the internet (0.0.0.0/0):

aws ec2 describe-security-groups \
    --region us-east-1 \
    --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" \
    --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \
    --output json

2. Restrict ingress rules

• Remove any rules allowing 0.0.0.0/0 access unless absolutely necessary
• Use specific IP ranges or Security Group references instead
• Close unused ports

3. Update and patch services

• Ensure all software is up to date
• Apply security patches promptly
• Disable or remove unnecessary services

4. Minimize banner information

• Configure services to show minimal version information
• Disable debug modes in production
• Remove default welcome messages that reveal software details

5. Consider architectural changes

• Place services behind a load balancer or reverse proxy
• Use CloudFront or AWS WAF for additional protection
• Move non-public services to private subnets

Checking Shodan Directly

To see what Shodan knows about your IP:

1. Visit https://www.shodan.io/
2. Search for your Elastic IP address
3. Review the information displayed (open ports, services, banners)
4. Use this information to prioritize hardening efforts

Note: Shodan requires an account for detailed searches. Free accounts have limited access.

You can also use the Shodan CLI if you have an API key:

shodan host <your-elastic-ip>

Verification

After remediation, verify your changes:

1. If you released and replaced the IP:

   • Confirm the old IP no longer appears in your Elastic IPs list
   • Verify the new IP is associated with your resource
   • Test that your application works with the new IP
   • Update DNS records and wait for propagation

2. If you hardened your security posture:

   • Verify Security Group rules are tightened
   • Confirm unnecessary ports are closed
   • Test that required services still function

3. Re-run Prowler to confirm the issue is resolved:

   prowler aws --check ec2_elastic_ip_shodan --region us-east-1

Note: Even after releasing an IP, it may remain in Shodan's database for some time. The goal is to ensure your current infrastructure is not unnecessarily exposed.

Additional Resources

• Shodan.io - Search engine for internet-connected devices
• AWS Elastic IP Documentation
• AWS Security Groups Documentation
• AWS Well-Architected Security Pillar

Notes

• Shodan indexing is passive: Shodan scans the internet continuously. Simply having a public IP may result in indexing over time.
• Releasing an IP does not remove it from Shodan: Historical data may persist in Shodan's database.
• New IPs can become indexed: Replacing an IP is not a permanent solution; hardening your security posture is essential.
• Consider the cost: Elastic IPs that are allocated but not associated with a running instance incur hourly charges.
• DNS propagation: If you replace an Elastic IP, remember to update DNS records and allow time for propagation (up to 48 hours for some DNS providers).
• Shodan API key requirement: This Prowler check requires a Shodan API key to be configured. If you are seeing this check fail, ensure Prowler has been configured with a valid Shodan API key.