Verifying IP addresses used across multiple AWS accounts is important for maintaining IP reputation and customer whitelisting. To collect information about networking resources in a multi-account AWS environment, there are several scalable options including IPAM, AWS Config, and building an automated solution using the AWS CLI or SDKs.
Use the Instance Metadata API on the instance to retrieve the AWS account ID associated with the instance. The API can be accessed by running the following command on the instance:
The command will return a JSON object that contains the account ID in the accountId field.
Use the AWS CLI to find the network interface that owns the IP address. The following command can be run:
Replace <IPv4 address> with the IP address that needs to be investigated. The output of the command will include the description of the network interface, which can be used to identify the resource that owns the IP address.
Use Amazon VPC IP Address Manager (IPAM) to monitor and audit IP addresses at scale. IPAM is a VPC feature that makes it easier to plan, track, and monitor IP addresses for AWS workloads. From a centralized dashboard, IPAM can monitor IP address space that's in use and use the IP historical data to search for the status change of IP addresses or CIDRs. IPAM can be integrated with AWS organisations to activate the Amazon VPC IPAM service to manage and monitor networking resources created by all AWS organizations member accounts.
Automate multi-account network information capture with AWS Config aggregator. AWS Config records AWS resource configurations and allows reviewing changes in configurations and relationships between AWS resources. Networking resource types collected by AWS Config include internet gateways, NAT gateways, load balancers, VPC CIDRs, and subnets. AWS Config data from multiple accounts and AWS Regions can be aggregated into a single account using multi-account, multi-Region data aggregation.
Automatically generate a multi-account network resources report using aws-sts-network-query-tool. This script uses AWS CLI to collect networking-related information for multiple accounts and outputs the information in a CSV. It can be run by specifying a list of member accounts to scan. The script can collect information about internet gateways, NAT gateways, load balancers, VPC CIDRs, subnets, elastic IP addresses, and elastic network interfaces.
Overmind makes it easy to search IP addresses across accounts while getting all important related content and metadata about its usage. Within Explore, you can start by listing all ec2-address types. From there you can expand outwards discovering any related types including DNS entries, ec2-network-interfaces or IPs.
To do this across multiple accounts simply those accounts as new sources. Once you have added these sources you will be able to search across all of them by making sure the scope is set to ‘*’.
Choosing the option depends on the specific use case and the available infrastructure.
What is the Instance Metadata API, and how does it help in verifying IP address usage?
To verify IP address usage, you can utilise the instance metadata to get the instance ID and other relevant details. The instance metadata is available in all Amazon EC2 instances at the following address: /latest/meta-data/. In there, you can find quite a lot of useful information, including the instance ID, which can be used to verify IP address usage.
Can I use the AWS CLI to find the owner of an IP address in AWS?
Yes, you can use the AWS CLI to find the owner of an IP address in AWS. The docs link can be found here.
Which option should I choose if I need to monitor IP addresses within VPCs and track their usage?
To monitor IP addresses within VPCs and track their usage, the best option is to use Amazon VPC IP Address Manager (IPAM).