Control: AWS > PCI v3.2.1 > EC2 > 4 Unused EC2 EIPs should be removed

This control checks whether Elastic IP addresses that are allocated to a VPC are attached to Amazon EC2 instances or in-use elastic network interfaces (ENIs).

A failed finding indicates you may have unused Amazon EC2 EIPs.

This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE). Unless there is a business need to retain them, you should remove unused resources to maintain an accurate inventory of system components.

Remediation

To remediate this issue, create new security groups and assign those security groups to your resources. To prevent the default security groups from being used, remove their inbound and outbound rules.

Open the Amazon EC2 console.
In the navigation pane, under Network & Security, choose Elastic IPs.
Choose the Elastic IP address, choose Actions, and then choose Release Elastic IP address.
When prompted, choose Release.

PCI requirement(s): 2.4

Resource Types

This control targets the following resource types:

AWS > VPC > Elastic IP

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/vpcEipAssociated

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/vpcEipAssociated") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/vpcEipAssociated'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/vpcEipAssociated"