How do I find an IP address that's not in my Amazon VPC but is in my logs?

7 minute read
0

I want to find an IP address that's not currently in my Amazon Virtual Private Cloud (Amazon VPC) but is in my logs.

Short description

Use AWS CloudTrail to check past events that include added or removed IP addresses. To check past events, use either the AWS Command Line Interface (AWS CLI) for events from the previous 90 days or Amazon CloudWatch Logs Insights.

Resolution

AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

1.    Use the AllocateAddress event to check if the Elastic IP address is allocated to your account:

Note: Replace example-eip-address with your Elastic IP address, example-mm-dd-yyyy with your start date, and example-region with your AWS Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=AllocateAddress \
--start-time example-mm-dd-yyyy \
--query 'Events[].Resources[?ResourceName == `example-eip-address`].{ResourceType:ResourceType,IP:ResourceName}[]' --output table

Note: In the preceding CloudTrail query, Amazon Elastic Compute Cloud (Amazon EC2) public IPv4 addresses aren't listed.

2.    Use the AssociateAddress event and the Allocation ID filters to view the service that used the Elastic IP address:

Note: Replace example-allocation-id with your Elastic IP address ID, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=ResourceName,AttributeValue=example-allocation-id \
--start-time example-mm-dd-yyy

3.    Use the CreateNetworkInterface event to check if the private IP address was assigned to the elastic network interface:

Note: Replace example-private-ip-address with your private IP address, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateNetworkInterface \
--start-time example-dd-mm-yyyy \
--query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.networkInterface.privateIpAddressesSet.item[].privateIpAddress == \"example-private-ip-address\")"

4.    Use the AttachNetworkInterface event to check if a resource used a network interface in the past:

Note: Replace example-eni-id with your network interface ID, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=AttachNetworkInterface \
--start-time example-dd-mm-yyyy \
--query 'Events[].CloudTrailEvent' --output text | jq -r "select(.requestParameters.networkInterfaceId == \"example-eni-id\")"

5.    Use the RunInstances event to check if the private IP address was associated with the instance at instance launch:

Note: Replace example-private-ip-address with your private IP address, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances \
--start-time example-mm-dd-yyyy \
--query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.instancesSet.items[].privateIpAddress == \"example-private-ip-address\") | [.responseElements.instancesSet.items[].networkInterfaceSet.items[]] "

6.    Use the AssignPrivateIpAddresses event to check if the private IP address was associated with the network interface:

Note: Replace example-private-ip-address with your private IP address, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=AssignPrivateIpAddresses \
--start-time example-mm-dd-yyyy \
--query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.assignedPrivateIpAddressesSet.assignedPrivateIpAddressSetType[].privateIpAddress == \"example-private-ip-address\" ) | {requestParameters,responseElements}"

7.    Use the AssignIpv6Addresses event to check if the IPv6 address was assigned to the specified network interface:

Note: Replace example-IPv6-address with your IPv6 address, example-mm-dd-yyyy with your start date, and example-region with your Region.

aws cloudtrail lookup-events \
--region example-region \
--lookup-attributes AttributeKey=EventName,AttributeValue=AssignIpv6Addresses \
--start-time example-mm-dd-yyyy \
--query 'Events[].CloudTrailEvent' --output text | jq -r "select(.responseElements.AssignIpv6AddressesResponse.assignedIpv6Addresses.item == \"example-IPv6-address\") | [.responseElements.AssignIpv6AddressesResponse] "

CloudWatch Logs Insights

Note: To send log events to CloudWatch Logs, configure your trail. For more information, see Monitoring CloudTrail log files with Amazon CloudWatch Logs.

Check if IPv4 addresses are assigned to your account

Complete the following steps:

1.    View the past Elastic IP address allocation and the service that used the public IP address:

Note: Replace example public ip-addresses with your public IP addresses and example-allocation-id with your allocation ID.

fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action,
     requestParameters.allocationId as AssociateAddress_AllocationID,
     requestParameters.instanceId as InstanceID,
     requestParameters.privateIpAddress as PrivateIP,
     responseElements.allocationId as AllocateAddress_AllocationID,
     responseElements.publicIp as EIP
| filter
    
     eventName = "AllocateAddress" or
     eventName = "AssociateAddress" and
     # AssociateAddress does not indicate resources outside EC2 instances.
     (
          EIP = "example-public-ip-addresses" or
          AssociateAddress_AllocationID = "example-allocation-id"
     )
| sort @timestamp desc

2.    Use the following events to find the previous private IP address assignments:

Note: Replace example-private-ip-addresses with your IP addresses.

CreateNetworkInterface event:

parse @message '"privateIpAddressesSet":{"item":[{"privateIpAddress":"*"' as PrivateIP
| fields
eventTime as Time,
userIdentity.accountId as AccountID,
userIdentity.principalId as Principal,
awsRegion as Region,
eventName as Action,
responseElements.networkInterface.networkInterfaceId as ENI
| filter
eventName = "CreateNetworkInterface" and
(
PrivateIP = "example-private-ip-addresses" 
)
| sort @timestamp desc

RunInstances event:

parse @message '{"privateIpAddress":"*"' as PrivateIP
|fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action
| filter 
     eventName = "RunInstances" and
     (
          PrivateIP = "example-private-ip-addresses" 
     )
| sort @timestamp desc

AssignPrivateIpAddress event:

parse @message '"assignedPrivateIpAddressSetType":[{*}]' as PrivateIpAddress
| fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action
| filter 
     eventName = "AssignPrivateIpAddresses" and
     (
          PrivateIpAddress like "example-private-ip-addresses" 
     )
| sort @timestamp desc

3.    View the resources that used the network interface:

Note: Replace example-eni-id with your network interface ID.

fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action,
     requestParameters.instanceId as InstanceID,
     requestParameters.networkInterfaceId as ENI
| filter 
     eventName = "AttachNetworkInterface" and
     (
          ENI = "example-eni-id" 
     )
| sort @timestamp desc

Check if IPv6 addresses are assigned to your account

Complete the following steps:

1.    Use the following events to find the previous private IP address assignments:

Note: Replace example-ipv6-addresses with your IP addresses.

AssignIpv6Addresses event:

fields
    eventTime as Time,
    userIdentity.accountId as AccountID,
    userIdentity.principalId as Principal,
    awsRegion as Region,
    eventName as Action,
    responseElements.AssignIpv6AddressesResponse.assignedIpv6Addresses.item as IPv6
| filter
    eventName = "AssignIpv6Addresses" and
    (
        IPv6 = "example-ipv6-addresses"
    )
| sort @timestamp desc 

RunInstances event:

parse @message '"ipv6AddressesSet":{"items":[{"ipv6Address":"*"' as IPv6
| fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action,
     responseElements.instancesSet.items.0.instanceId as InstanceID
| filter 
     eventName = "RunInstances"and
     (
         IPv6 = "example-ipv6-addresses"
     )
| sort @timestamp desc

CreateNetworkInterface event:

parse @message '"ipv6AddressesSet":{"items":[{"ipv6Address":"*"' as IPv6
| fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action,
     responseElements.instancesSet.items.0.instanceId as InstanceID
| filter 
     eventName = "CreateNetworkInterface" and
     (
         IPv6 = "example-ipv6-addresses"
     )
| sort @timestamp desc

2.    View the resources that used the network interface:

Note: Replace example-eni-id with your network interface ID.

fields 
     eventTime as Time,
     userIdentity.accountId as AccountID,
     userIdentity.principalId as Principal,
     awsRegion as Region,
     eventName as Action,
     requestParameters.instanceId as InstanceID,
     requestParameters.networkInterfaceId as ENI
| filter 
     eventName = "AttachNetworkInterface" and
     (
         ENI = "example-eni-id" or
     )
| sort @timestamp desc

3.    (Optional) Run the following command to check if the BGP prefix and ASN of the public IP address is an AWS IP address.

Note: Replace example-public-ip-address with your public IP address. Run the following command on a Linux machine.

$ whois -h whois.cymru.com " -v example-public-ip-address"

If it's an AWS IP address and you see malicious activity, then contact AWS Trust & Safety.

Related information

Analyzing log data with CloudWatch Logs Insights

How do I find the resource that currently owns an unknown IP address in my Amazon VPC?

Analyzing AWS Cloudtrail in Amazon CloudWatch

AWS IP address ranges

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago