You can leverage our Audit Policies with something along the below lines, in terms of RQL. event where operation IN ( 'AssociateElasticIp', 'RegisterElasticIp', 'UpdateElasticIp' ) This will create an alert anytime you have a user actually make a change to the EIP. Another way you can achieve this is by simply checking for instances that have a public IP. Though this will return existing systems that should or are known to have public IPs. config where api.name = 'aws-ec2-describe-instances' AND json.rule = publicIpAddress exists and publicIpAddress is not empty
... View more