AWS CDK to deny release of Elastic IP in Organization SCP
It’s quite likely that you’ll let other organisations know about the Elastic IPs that you have configured in your AWS VPC. The other organisations could be service providers or your customers, and they might not have automated processes for configuring these static IP addresses on their side (sending configurations by email is surprisingly common).
This creates a risk around the accidental release of Elastic IPs, especially if you manage your Elastic IPs with CloudFormation or CDK. Updating a CloudFormation stack that manages an Elastic IP could accidentally release that Elastic IP and recreate the resource with a different IP address. This would cause an immediate outage or disruption in any service that was configured with the released Elastic IP.
As there is no way to choose an Elastic IP or to retrieve one that has been released, the only option in that scenario is to frantically update other services. That can be a slow process if it’s handled manually in other organisations.
To prevent this scenario, you can use a Service Control Policy (SCP) to prevent the release of Elastic IPs across your AWS Organization.
Here’s a CDK resource that creates an SCP to deny releasing any Elastic IPs. Note that this will cause a CloudFormation stack update to fail if it tries to release and recreate an Elastic IP. That would require manual intervention to unblock the stack update, but that is preferable to the scenario described above where an Elastic IP is irrecoverably lost.
new organizations.CfnPolicy(this, "DenyEIPReleasePolicy", {
name: "DenyEIPReleasePolicy",
description: "Prevent release of Elastic IPs",
type: "SERVICE_CONTROL_POLICY",
content: {
Version: "2012-10-17",
Statement: [
{
Sid: "DenyReleaseElasticIP",
Effect: "Deny",
Action: "ec2:ReleaseAddress",
Resource: "*",
},
],
},
targetIds: ["r-a12b"],
});
Let me know if I can help your company with AWS networking, CloudFormation deployments or any other AWS projects.