Automating Alerts for Unassociated Elastic IPs

Amazon charges for Elastic IP addresses that are allocated, but not associated with a running instance. This is to discourage AWS customers from wasting the dwindling pool of available iPv4 addresses available. Wouldn’t it be nice if, as someone who manages AWS resources, you received alerts when your account’s allocated Elastic IPs are being wasted?

I’ve created an automated process to send out an email when this occurs. Using a simple Lambda function (triggered by a CloudWatch schedule) and an SNS topic, notifications can be sent to the appropriate employees when someone forgets to cleanup after terminating their instances.

Elastic IP Waste Diagram

Creating the SNS topic:

  1. Navigate to SNS in your management console.
  2. Select “Topics” in the sidebar.
  3. Click the “Create new topic” button.
  4. Enter an appropriate topic name and display name and click “Create topic”.

Subscribing to the SNS topic:

  1. Select “Topics” in the sidebar.
  2. Click the ARN link for the topic you just created.
  3. Under Subscriptions, click “Create subscription”.
  4. Select Email as the Protocol and enter your email address as the Endpoint.
  5. Repeat steps 3 and 4 for each email address you want to receive notifications.
  6. Each email address endpoint will receive an email asking to confirm the subscription. Confirm the subscriptions.

Creating an IAM policy for access permissions:

  1. Navigate to IAM in your management console.
  2. Select “Policies” in the sidebar.
  3. Click “Create Policy”.
  4. Select “Create Your Own Policy”.
  5. Enter an appropriate policy name and description.
  6. Paste the following JSON into the policy document:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "sns:Publish",
                    "sns:Subscribe"
                ],
                "Resource": [
                    "Your Topic ARN"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeAddresses"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  7. Substitute “Your Topic ARN” with the ARN for the SNS topic you created and click “Create Policy”.

Creating an IAM role for the Lambda function:

  1. Select “Roles” in the sidebar.
  2. Click “Create New Role”.
  3. Enter an appropriate role name and click “Next Step”.
  4. Select “AWS Lambda” within the AWS Service Roles.
  5. Change the filter to “Customer Managed”, check the box of the policy you just created, and click “Next Step”.
  6. Click “Create Role”.

Creating the Lambda function:

  1. Navigate to Lambda in your management console.
  2. Click “Create a Lambda function”.
  3. Select the “Blank Function” blueprint.
  4. Under “Configure triggers”, click the grey box and select “CloudWatch Events – Schedule”.
  5. Enter an appropriate rule name and description.
  6. Select the frequency you’d like Lambda to check for unassociated Elastic IPs in the Schedule expression input. I chose “rate(1 day)” for my usage.
  7. Check the box to “Enable trigger” and click “Next”.
  8. Enter an appropriate function name and description. Select Node.js for the runtime.
  9. Under “Lambda function code”, select “Edit code inline” for the Code entry type and paste the following code in the box:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    var AWS = require("aws-sdk");
    exports.handler = function(event, context) {
        var sns = new AWS.SNS();
        var ec2 = new AWS.EC2();
        var message = "The following Elastic IPs are not associated:\n\n";
        var params = {};
        ec2.describeAddresses(params, function(err, data) {
            if (err) {
                console.log(err, err.stack);
            }
            else {
                var unassociatedAddresses = 0;
                for (var i = 0; i < data.Addresses.length; i++){
                    if (!data.Addresses[i].hasOwnProperty("InstanceId")){
                        console.log(data.Addresses[i].PublicIp);
                        unassociatedAddresses++;
                        message += " " + data.Addresses[i].PublicIp + "\n";
                    }
                }
                if (unassociatedAddresses > 0){
                    var publishParams = {
                        Message: message,
                        Subject: "Elastic IP Addresses Unassociated",
                        TopicArn: "Your Topic ARN"
                    };
                    sns.publish(publishParams, context.done);
                }
            }
        });
    };
  10. Substitute “Your Topic ARN” with the ARN for the SNS topic you created earlier.
  11. Leave Handler as “index.handler”.
  12. Choose to use an existing role and select the IAM role you created earlier.
  13. Leave the other default values and click “Next”.
  14. Click “Create function”.

That’s it! Now you’ll at least be made aware when your Elastic IPs are being wasted. Hopefully before whoever is paying your account’s AWS bill.

 

source : https://www.aaronmedacco.com/blog/post/2016/12/30/automating-alerts-for-unassociated-elastic-ips-w-aws

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s