How to Manage AWS IAM User Permissions with AWS CLI

Learn to update AWS IAM permissions and manage groups using the AWS CLI. Simplify your AWS management with these essential commands.

Patrick Londa
Author
Jan 4, 2022
 • 
5
 min read
Share this post

If you're using AWS without regularly checking for and removing unattached AWS resources, you may be incurring unnecessary costs. Amazon charges based on the entire pool of resources you have access to, not just based on which resources are actively in use. Performing periodic checks on your resources during and after development is essential to good AWS hygiene and can help lower overhead.

The three resources most likely to be overlooked are EBS volumes, ENIs, and NAT gateways. Here are three quick checks you can perform to ensure you're not swimming in excess resources, along with instructions on removing any extra resources you may uncover while performing these checks.

It’s important to note that you’ll need to run each check for as many regions as you are running in or have run resources in. Ok, let’s dive in.

Finding and Removing All Unattached EBS Volumes

Blink Automation: Detect Unattached EBS Volumes and Delete Them
AWS + Slack
Try This Automation

Unattached AWS resources often take the form of EBS volumes. To find and remove any unattached EBS volumes, here are the seven steps to follow:

  1. Open the AWS Management Console.
  2. Open the EC2 dashboard.
  3. In the navigation panel on the left side of the screen, under Elastic Block Store, select Volumes.
  4. This page lists all of your EBS volumes. Look in the State column, which will show the status of each volume.
  5. If the status of an EBS volume is listed as Available, then the volume isn't currently attached.
  6. Select an unused volume, select Actions, then Delete Volume.
  7. The console will ask for confirmation. If you're sure that you don't need this volume, click Delete.

Note that it is not possible to delete an attached volume. If your AWS services are running as expected and it's possible to delete a volume, that volume likely should be deleted.

Finding and Removing All Unattached ENI Volumes

Blink Automation: Find EC2 Instances with More than One ENI Volume and Send Email
Blink + AWS
Try This Automation

Here are the ten steps to manually find and release any unattached ENIs.

  1. Open the AWS Management Console.
  2. Open the AWS EC2 dashboard.
  3. In the navigation panel on the left side of the screen, under Network & Security, select Network Interfaces. This screen lists all of your ENIs.
  4. Select an ENI from the list and click on the Details tab located in the control panel at the bottom of the screen.
  5. Look at the Status of the ENI. If it's listed as Available, the ENI is not attached to an EC2 instance and can be removed.
  6. If you're using EC2-Classic, note the IP address associated with the ENI (this is also listed on the Details tab).
  7. If you're using EC2-VPC, note the allocation ID for the ENI.
  8. To release an EC2 address, open the command line.
  9. If you're using EC2-Classic, type:
 aws ec2 release-address --public-ip <your-EC2-IP>
  1. If you're using ECC-VPC, type:
aws ec2 release-address --allocation-id eipalloc-64d5890a

Note that if these commands successfully release an ENI, no output is returned.

Finding and Removing All Unused NAT Gateways

Blink Automation: Detect Unused Amazon VPC NAT Gateways and Send to Slack
AWS + Slack
Try This Automation

Here are the eleven steps to manually find and remove any unused NAT gateways and release any Elastic IPs associated with them.

  1. Open the AWS VPC console.
  2. In the navigation panel on the left side of the screen, click on NAT Gateways. This page lists all of your NAT gateways.
  3. Click on a specific "NAT Gateway ID" and scroll down to the "Monitoring" section to view its usage over the last 7 days.
  4. Any gateways with average "BytesOutToDestination" of zero over the last 7 days can be considered unused and subject to removal.
  5. Click on the Details tab for any available NAT gateways. Note the name of the EIP associated with the NAT gateway you wish to delete, as you may be able to release the EIP after deleting the NAT gateway.
  6. Click the radio button for the NAT Gateway you wish to delete, then click Actions, and Delete NAT gateway.
  7. A confirmation box will appear. Type delete, and then click Delete.
  8. If you will not need the Elastic IP associated with that NAT Gateway, you can safely release that EIP, further saving resources.
  9. To release the EIP associated with the now-deleted NAT Gateway, click Elastic IPs.
  10. Select the Elastic IP you wish to release, and then click Actions, Release Elastic IP addresses.
  11. A confirmation dialog box will appear. Click Release.

Alternatively, you can release the EIP through the command line. There are four different ways to release an elastic IP address using the command line, depending on your setup. If you're using AWS CLI and EC2-Classic, open your terminal and use the command:

aws ec2 release-address --public-ip <IP ADDRESS>

If you're using AWS CLI and EC2-VPC, use:

aws ec2 release-address --allocation-id <ALLOCATION ID>

If you're using AWS Tools for Windows PowerShell and EPC-Classic, open PowerShell and use the command:

Remove-EC2Address -PublicIp <IP ADDRESS> -Force

If you're using AWS Tools for Windows PowerShell and EPC-VPC, open PowerShell and use the command:

Remove-EC2Address -AllocationId eipalloc-<ALLOCATION ID> -Force

Automate AWS Resource Checks with Blink:

If you run resources in multiple regions, then running each of these checks multiple times on a regular basis might seem impractical or inefficient. When you create a free Blink account, you can schedule these resource checks using pre-built automations. Check multiple regions and multiple resource types in a few clicks.

Blink automation for finding unused AWS NAT Gateways

Get started with Blink and start automating your AWS resource checks today.