AWS EIP not attached to any instance

• Query id: cd1d93f2-8ed2-4eb5-b536-776619f1869b
• Query name: AWS EIP not attached to any instance
• Platform: Terraform
• Severity: Low
• Category: Resource Management
• CWE: 653
• Risk score: 1.0
• URL: Github

Description

Unattached EIPs from EC2 instances should be disabled to allow us to maintain better control, efficiency, and visibility over the network traffic and implement security measures more effectively
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_eip" "ok_eip" {
}

resource "aws_instance" "ec2" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Positive test num. 2 - tf file

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}

resource "aws_eip" "web_eip" {}

resource "aws_eip_association" "web_eip_assoc" {
  instance_id   = aws_instance.web2.id
  allocation_id = aws_eip.web_eip.id
}

Positive test num. 3 - tf file

resource "aws_eip" "nat_eip" {
  domain = "vpc"
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip2.id
  subnet_id     = aws_subnet.public.id

  depends_on = [aws_internet_gateway.gw]
}

Positive test num. 4 - tf file

resource "aws_eip" "transfer_eip" {
  domain = "vpc"
}

resource "aws_transfer_server" "sftp" {
  endpoint_type = "VPC"

  endpoint_details {
    address_allocation_ids = [aws_eip.transfer_eip2.id]
    subnet_ids             = [aws_subnet.transfer_subnet.id]
    vpc_id                 = aws_vpc.main.id
  }

  identity_provider_type = "SERVICE_MANAGED"
  protocols              = ["SFTP"]
}

Positive test num. 5 - tf file

resource "aws_network_interface" "multi-ip" {
  subnet_id   = aws_subnet.main.id
}

resource "aws_eip" "one" {
  domain                    = "vpc"
  network_interface         = aws_network_interface.multi-ip2.id
}

resource "aws_eip" "two" {
  domain                    = "vpc"
  network_interface         = aws_network_interface.multi-ip.id
}

Positive test num. 6 - tf file

resource "aws_eip" "ok_eip" {
  instance = aws_instance.ec2.id
  vpc = false
}

resource "aws_instance" "ec2" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Positive test num. 7 - tf file

resource "aws_eip" "ok_eip" {
  instance = aws_instance.ec2.id
  domain = ""
}

resource "aws_instance" "ec2" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Positive test num. 8 - tf file

resource "aws_eip" "eip_example" {
  instance = aws_instance.example1.id
  domain = "vpc"
}

resource "aws_instance" "example" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Positive test num. 9 - tf file

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}

resource "aws_eip" "web_eip" {
  domain = "vpc"
}

resource "aws_eip_association" "web_eip_assoc" {
  instance_id   = aws_instance.web.id
  allocation_id = aws_eip.web_eip2.id
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_eip" "ok_eip" {
  instance = aws_instance.ec2.id
  domain = "vpc"
}

resource "aws_instance" "ec2" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Negative test num. 2 - tf file

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}

resource "aws_eip" "web_eip" {
  domain = "vpc"
}

resource "aws_eip_association" "web_eip_assoc" {
  instance_id   = aws_instance.web.id
  allocation_id = aws_eip.web_eip.id
}

Negative test num. 3 - tf file

resource "aws_eip" "nat_eip" {
  domain = "vpc"
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.public.id

  depends_on = [aws_internet_gateway.gw]
}

Negative test num. 4 - tf file

resource "aws_eip" "transfer_eip" {
  domain = "vpc"
}

resource "aws_transfer_server" "sftp" {
  endpoint_type = "VPC"

  endpoint_details {
    address_allocation_ids = [aws_eip.transfer_eip.id]
    subnet_ids             = [aws_subnet.transfer_subnet.id]
    vpc_id                 = aws_vpc.main.id
  }

  identity_provider_type = "SERVICE_MANAGED"
  protocols              = ["SFTP"]
}

Negative test num. 5 - tf file

resource "aws_eip" "ok_eip" {
  instance = aws_instance.ec2.id
  vpc = true
}

resource "aws_instance" "ec2" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Negative test num. 6 - tf file

resource "aws_network_interface" "multi-ip" {
  subnet_id   = aws_subnet.main.id
}

resource "aws_eip" "one" {
  domain                    = "vpc"
  network_interface         = aws_network_interface.multi-ip.id
}

resource "aws_eip" "two" {
  domain                    = "vpc"
  network_interface         = aws_network_interface.multi-ip.id
}