Elastic IP addresses are requisitioned by the account but not in current use
Use of Elastic IP addresses is unavoidable for a number of AWS services, however, retaining the Elastic IPs themselves for use across multiple services implicitly creates a shared characteristic across services that can be detected during targeted reconnaissance.
By reusing Elastic IP addresses the same IP will be detected as resolving across multiple services. Additionally, if tracked over time it’s possible to correlate the Elastic IP address being reassigned to other services. With targeted tracking making use of DNS based research this shared history can indicate connected services that can be scoped for compromise.
Whilst the risk of this may be comparatively low, the benefit to storing an Elastic IP address for future use is often negligible. Elastic IP addresses are easily requisitioned at time of provisioning and do not need to be stored in advance. Unused Elastic IP addresses also attract a fee for retention whilst introducing the possibility of reusing using the IP address and creating the implicit connection across your services.
Unlike DNS records or other data which intentionally provides identifiable information, consistently using the same Elastic IP address over time makes your services easier to track. Therefore, any Elastic IP address that is no longer in use should be released back to AWS. When you need a new IP, you can simply allocate one as required.
We cover more considerations regarding Elastic IP address usage in test AWS-EC2-1 - Instance With Public IP Address
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
This is the easiest remediation in our catalogue - simply delete all unused elastic IP addresses. As the addresses are not in use, there’s no blockers to deleting them. You may want to talk to us about the other potential vulnerabilities and get them detected, there’s some nasty ones we can find very quickly: