Lightsail Static IP is Unused

Overview

This check identifies Amazon Lightsail static IPs that are allocated but not attached to any instance. Static IPs reserve a public IP address for your use, but if they are not connected to an instance, they represent wasted resources and potential infrastructure drift.

Risk

Unused static IPs pose several concerns:

Unnecessary costs: Unattached static IPs may incur ongoing charges
Infrastructure drift: Reserved but unused addresses indicate configuration inconsistencies
Availability impact: Traffic routed to unattached IPs fails silently
Security exposure: If an unused IP is later attached to the wrong instance, it could inadvertently expose services or data

Remediation Steps

Prerequisites

You need access to your AWS account with permissions to manage Lightsail resources. You can use either the AWS Console (recommended for most users) or the AWS CLI.

Option A: Attach the Static IP to an Instance

Use this option if you need the static IP and want to connect it to a running Lightsail instance.

AWS Console Method

Sign in to the AWS Lightsail Console
In the left navigation, click Networking
Find your unused static IP in the list (it will show "Not attached")
Click the static IP name to open its details
Click Attach to an instance
Select the target instance from the dropdown
Click Attach
Verify the status changes to show the attached instance name

AWS CLI

First, list your static IPs to identify unused ones:

aws lightsail get-static-ips \
  --region us-east-1 \
  --query 'staticIps[?!isAttached].{Name:name,IP:ipAddress}' \
  --output table

Then attach the static IP to your instance:

aws lightsail attach-static-ip \
  --region us-east-1 \
  --static-ip-name <your-static-ip-name> \
  --instance-name <your-instance-name>

Replace:

<your-static-ip-name> with the name of your static IP
<your-instance-name> with the name of your Lightsail instance

CloudFormation

Use this template to attach an existing static IP to a Lightsail instance:

AWSTemplateFormatVersion: '2010-09-09'
Description: Attach an existing Lightsail static IP to an instance

Parameters:
  StaticIpName:
    Type: String
    Description: The name of the existing static IP to attach
  InstanceName:
    Type: String
    Description: The name of the Lightsail instance to attach the static IP to

Resources:
  StaticIpAttachment:
    Type: AWS::Lightsail::StaticIp
    Properties:
      StaticIpName: !Ref StaticIpName
      AttachedTo: !Ref InstanceName

Outputs:
  StaticIpAddress:
    Description: The IP address of the static IP
    Value: !GetAtt StaticIpAttachment.IpAddress
  StaticIpArn:
    Description: The ARN of the static IP
    Value: !GetAtt StaticIpAttachment.StaticIpArn

Important: The target instance must be in a running state before the static IP can be attached. CloudFormation will wait up to 15 minutes for the instance to be ready.

Terraform

Use this resource to attach an existing static IP to a Lightsail instance:

resource "aws_lightsail_static_ip_attachment" "example" {
  static_ip_name = "<your-static-ip-name>"
  instance_name  = "<your-lightsail-instance-name>"
}

Replace:

<your-static-ip-name> with the name of your static IP
<your-lightsail-instance-name> with the name of your Lightsail instance

Option B: Release the Static IP

Use this option if you no longer need the static IP and want to delete it entirely.

AWS Console Method

Sign in to the AWS Lightsail Console
In the left navigation, click Networking
Find your unused static IP in the list
Click the three-dot menu icon next to the static IP
Click Delete
Confirm the deletion when prompted

Warning: Once released, you cannot recover the same IP address. If you need this specific IP address in the future, attach it to an instance instead of releasing it.

AWS CLI

Release the static IP:

aws lightsail release-static-ip \
  --region us-east-1 \
  --static-ip-name <your-static-ip-name>

Replace <your-static-ip-name> with the name of your static IP.

Verification

After remediation, verify your changes:

AWS Console

Go to the Lightsail Networking page
Check that:
- If you attached the IP: It now shows the instance name in the "Attached to" column
- If you released the IP: It no longer appears in the list

AWS CLI Verification

List all static IPs and check their attachment status:

aws lightsail get-static-ips \
  --region us-east-1 \
  --query 'staticIps[].{Name:name,IP:ipAddress,Attached:isAttached,AttachedTo:attachedTo}' \
  --output table

All static IPs should show Attached: True with a valid instance name in the AttachedTo column.

Additional Resources

Amazon Lightsail Static IPs Documentation
Lightsail Pricing (includes information on static IP costs)
AWS::Lightsail::StaticIp CloudFormation Reference

Notes

One IP per instance: Each Lightsail instance can only have one static IP attached at a time
Regional scope: Static IPs are region-specific. Ensure your instance is in the same region as the static IP
Instance state: The target instance must be in a running state to attach a static IP
Audit regularly: Consider implementing periodic audits to identify unused static IPs before they accumulate
Tagging: Use tags to document the purpose of each static IP for easier management

Overview​

Risk​

Remediation Steps​

Prerequisites​

Option A: Attach the Static IP to an Instance​

Option B: Release the Static IP​

Verification​

Additional Resources​

Notes​