Skip to main content

EC2 Elastic IP Unassigned

Overview

This check identifies Elastic IP addresses that are allocated to your AWS account but not associated with any EC2 instance or network interface. Elastic IPs are static public IPv4 addresses designed for dynamic cloud computing, but they should be actively used or released.

Risk

Unassigned Elastic IP addresses create several operational and security concerns:

  • Ongoing charges: AWS charges for Elastic IPs that are not associated with a running instance
  • IPv4 address exhaustion: Unused addresses consume public IPv4 capacity, potentially blocking new allocations and delaying deployments
  • Poor resource hygiene: Orphaned addresses indicate gaps in ownership tracking and resource lifecycle management
  • Reassignment exposure: Addresses that sit unused may be reassigned later without proper security controls, potentially exposing services unintentionally

Remediation Steps

Prerequisites

You need:

  • AWS Console access with EC2 permissions
  • Knowledge of whether the Elastic IP is still needed by your team or application
Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

  • ec2:DescribeAddresses
  • ec2:ReleaseAddress
  • ec2:AssociateAddress
  • ec2:DisassociateAddress

AWS Console Method

Step 1: Identify unassigned Elastic IPs

  1. Open the EC2 Console in us-east-1
  2. In the left navigation, under Network & Security, click Elastic IPs
  3. Look for addresses where the Associated instance ID or Association ID column shows a dash (-) or is empty

Step 2: Decide what to do

For each unassigned Elastic IP, you have two options:

  • Option A: Associate it with an instance (if you still need it)
  • Option B: Release it (if it is no longer needed)

Option A: Associate the Elastic IP

  1. Select the unassigned Elastic IP
  2. Click Actions > Associate Elastic IP address
  3. Choose the resource type:
    • Instance: Select an EC2 instance from the dropdown
    • Network interface: Select a network interface
  4. Click Associate

Option B: Release the Elastic IP

  1. Select the unassigned Elastic IP
  2. Click Actions > Release Elastic IP addresses
  3. Confirm by clicking Release

Warning: Once released, you cannot recover the same IP address. If external systems depend on this specific IP, ensure you update DNS records or firewall rules before releasing.

AWS CLI (optional)

List unassigned Elastic IPs

Find Elastic IPs that are not associated with any instance or network interface:

aws ec2 describe-addresses \
    --region us-east-1 \
    --query "Addresses[?AssociationId==null].[AllocationId,PublicIp]" \
    --output table

Option A: Associate an Elastic IP with an instance

aws ec2 associate-address \
    --region us-east-1 \
    --allocation-id <allocation-id> \
    --instance-id <instance-id>

Replace:

  • <allocation-id> with the Elastic IP allocation ID (e.g., eipalloc-12345678)
  • <instance-id> with the EC2 instance ID (e.g., i-0abcd1234efgh5678)

Option B: Release an Elastic IP

aws ec2 release-address \
    --region us-east-1 \
    --allocation-id <allocation-id>

Replace <allocation-id> with the Elastic IP allocation ID.

Bulk release all unassigned Elastic IPs

Use with caution - this releases all unassigned IPs:

aws ec2 describe-addresses \
    --region us-east-1 \
    --query "Addresses[?AssociationId==null].AllocationId" \
    --output text | \
xargs -n1 aws ec2 release-address --region us-east-1 --allocation-id
CloudFormation (optional)

Ensure Elastic IPs are always associated

When creating Elastic IPs via CloudFormation, always pair them with an AWS::EC2::EIPAssociation resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: Elastic IP with required association

Resources:
  MyElasticIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: my-app-eip
        - Key: Environment
          Value: production

  MyEIPAssociation:
    Type: AWS::EC2::EIPAssociation
    Properties:
      AllocationId: !GetAtt MyElasticIP.AllocationId
      InstanceId: !Ref MyEC2Instance

  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0abcdef1234567890
      InstanceType: t3.micro
      Tags:
        - Key: Name
          Value: my-app-instance

Remove orphaned Elastic IPs

If you have CloudFormation stacks with unassigned Elastic IPs, update the stack to either:

  1. Add an AWS::EC2::EIPAssociation resource
  2. Remove the AWS::EC2::EIP resource entirely
Terraform (optional)

Ensure Elastic IPs are always associated

When creating Elastic IPs with Terraform, always pair them with an aws_eip_association resource:

resource "aws_eip" "app" {
  domain = "vpc"

  tags = {
    Name        = "my-app-eip"
    Environment = "production"
  }
}

resource "aws_eip_association" "app" {
  allocation_id = aws_eip.app.id
  instance_id   = aws_instance.app.id
}

resource "aws_instance" "app" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t3.micro"

  tags = {
    Name = "my-app-instance"
  }
}

Alternative: Associate directly with instance

You can also associate the EIP directly with an instance using the instance argument:

resource "aws_eip" "app" {
  instance = aws_instance.app.id
  domain   = "vpc"

  tags = {
    Name = "my-app-eip"
  }
}

Remove orphaned Elastic IPs

To release an unassigned EIP managed by Terraform, simply remove the aws_eip resource from your configuration and run:

terraform apply

Verification

After making changes, confirm all Elastic IPs are now associated:

  1. In the AWS Console:

    • Go to EC2 > Elastic IPs
    • Verify all addresses show an Associated instance ID or Association ID
    • No addresses should show a dash (-) in these columns

  2. Re-run the Prowler check:

    • Execute prowler aws -c ec2_elastic_ip_unassigned
    • Confirm the check now passes
CLI verification commands

Check for any remaining unassigned Elastic IPs:

aws ec2 describe-addresses \
    --region us-east-1 \
    --query "Addresses[?AssociationId==null]" \
    --output json

Expected output when properly remediated:

[]

An empty array means all Elastic IPs are associated.

Additional Resources

Notes

  • Cost savings: AWS charges approximately $0.005 per hour for each Elastic IP that is not associated with a running instance. Releasing unused addresses can reduce costs.
  • IPv4 address scarcity: Public IPv4 addresses are a limited resource. AWS now charges for all public IPv4 addresses (including those on instances), so minimizing your footprint helps control costs.
  • Before releasing: Always confirm with your team that an Elastic IP is truly unused before releasing it. External services, firewall rules, or DNS records may depend on specific IP addresses.
  • Tagging for ownership: Implement mandatory tagging policies for Elastic IPs to track ownership and purpose, making cleanup decisions easier.
  • Automation: Consider using AWS Config rules or Lambda functions to automatically identify and alert on unassigned Elastic IPs.
  • Prefer private networking: Where possible, use private IP addresses and VPC endpoints to reduce reliance on public IPv4 addresses.