|
It’s quite likely that you’ll let other organisations know about the
Elastic IPs
that you have configured in your AWS VPC. The other organisations could be
service providers or your customers, and they might not have automated processes
for configuring these static IP addresses on their side (sending configurations by
email is surprisingly common).
This creates a risk around the accidental release of Elastic IPs, especially if
you manage your Elastic IPs with CloudFormation or CDK. Updating a
CloudFormation stack that manages an Elastic IP could accidentally release that
Elastic IP and recreate the resource with a different IP address. This would
cause an immediate outage or disruption in any service that was configured with
the released Elastic IP.
As there is no way to choose an Elastic IP or to retrieve one that has been
released, the only option in that scenario is to frantically update other
services. That can be a slow process if it’s handled manually in other
organisations.
To prevent this scenario, you can use a
Service Control Policy (SCP)
to prevent the release of Elastic IPs across your AWS Organization.
Here’s a CDK resource that creates an SCP to deny releasing any Elastic IPs.
Note that this will cause a CloudFormation stack update to fail if it tries to
release and recreate an Elastic IP. That would require manual intervention to
unblock the stack update, but that is preferable to the scenario described above
where an Elastic IP is irrecoverably lost.
new organizations.CfnPolicy(this, "DenyEIPReleasePolicy", {
name: "DenyEIPReleasePolicy",
description: "Prevent release of Elastic IPs",
type: "SERVICE_CONTROL_POLICY",
content: {
Version: "2012-10-17",
Statement: [
{
Sid: "DenyReleaseElasticIP",
Effect: "Deny",
Action: "ec2:ReleaseAddress",
Resource: "*",
},
],
},
targetIds: ["r-a12b"],
});
Let me know if
I can help your company
with AWS networking, CloudFormation deployments or any other AWS projects.
View post:
AWS CDK to deny release of Elastic IP in Organization SCP
|