The dreaded email asking about an IP address…

The situation:

You manage a bunch of AWS accounts, and have public IP addresses of various asset types. The same regions are always at play. Then the email comes in:

What do you do now?  Are you going to have to log into the AWS console for every account, and start searching for resources or logs?  What if such requests come in often?

I created a support ticket with AWS, and support was kind enough to let me know the last 5 digits of the account number owning the questionable asset. The support person included a helpful link on how to find all public IP addresses in a region.

A little helper shell script comes to the rescue

I then decided I needed a quick little script to help with the searching. Note that you do need the AWS cli installed, and have profiles configured in your ~/.aws/credentials file.

#!/bin/bash
echo "Enter the public IP that you are looking for: "
read target_ip
printf "Looking for IP %s\n" "$target_ip"
rm -rf out.txt || true

profiles="nonprod prod"
regions="us-east-2 us-east-1"
for profile in $profiles
do
  for region in $regions
  do
     printf "profile=%s, region=%s\n" "$profile" "$region" >> out.txt
     printf "profile=%s, region=%s\n" "$profile" "$region"
     AWS_PROFILE=$profile aws ec2 describe-network-interfaces \
      --query NetworkInterfaces[].Association.PublicIp \
      --region $region >> out.txt
  done
done
grep $target_ip out.txt
if [[ $? != 0 ]]; then
  echo "IP address not found"
fi

Running it is simple, it asks for the IP address to search for.  If it does not find it, it will print ‘IP address not found’. Otherwise it will print the IP address. One can then go back to the ‘out.txt’ file, find the IP address, and identify the aws-profile/region header. From there, it should be easy to find the offending asset.

 

References:

http://eosrei.net/articles/2017/09/list-all-public-ip-addresses-aws-account

 

Leave a Reply