Hello. We recently received an abuse report saying an Elastic IP of ours was being used to send a malicious payload. We do indeed have that IP, but it isn't mapped or associated with anything (perhaps it was at one point. If so, it was before I was on the team). We dug through everything we could to find any instance using this IP and found nothing. No EC2 instances. Nothing in load balancers. I checked in every region, just in case. Has anyone come across something similar? If so, how did you track it down? Can we find what might be using the IP? We see the network interface mapped to it, but it's associated with a VPC used by a number of instances (none of which are the IP in the report).
Otherwise, if we can't find the IP being used anywhere, I'm assuming it's safe to just get rid of it, correct? We do not currently have a dedicated AWS person, so any help is appreciated. Thank you so much for any assistance you can provide.
Edit to add: Is it possible someone is spoofing the IP? The gateway says it was created in 2016 and I do not know the last time that IP was associated with an EC2 instance (if there's a way of finding that out).
AWS OFFICIALUpdated 2 years ago
Thank you. Just before your answer I discovered the IP is a NAT Gateway, not a network device associated with an instance. So now I need to figure out if I can find out which of our instances is initiating the malicious call. I can find the internal NAT IP and the IP it's trying to hit in a CloudWatch log, but I'm not sure if the entry directly above it is the instance that initiated it? I need to research more how the logs work.
Thank you for the answer.