aws - elastic-ip - used-by filter

[naohito-intuit]

Add a new used-by filter to the elastic-ip (network-addr) resource to help identify the type of service that the Elastic IP is associated with. It utilizes the get_eni_resource_type utility function contributed in #8028. It will make one API call to get a list of network interfaces that are associated with EIPs.

Initially I was going to add a used filter, but we can check the usage simply by checking the AssociationId attribute using the value filter. The used-by filter returns the resource type that the ENI which EIP is associated with, is attached to.

Background

The Amazon EC2 and NLBs are the only resources that can be protected by AWS Shield Advanced by attaching EIPs. Other resources such as NAT Gateway, Transit Gateway, VPC Endpoint, or AWS Lambda don't need AWS Shield Advanced. Thus, we need a way to filter them out.

Available Types

• ec2
• elb-app
• elb-net
• elb-gwy
• elb
• apigw
• dax
• dir
• dms
• ecs
• fsmt
• elasticache
• emr
• hsm
• hsmv2
• lambda
• nat
• rds
• redshift
• tgw
• vpce
• eks
• unknown

Example

policies:
  - name: eip-shield-advanced-enable
    resource: elastic-ip
    description: |
      Enables AWS Shield Advanced for Elastic IPs that are used by EC2 instances or Network Load Balancers
    filters:
      - or:
        # Associated with EC2
        - type: value
          key: InstanceId
          value: present
        # Associated with NLB
        - type: used-by
          resource-type: elb-net
      # No Shield Advanced Protection
      - type: shield-enabled
        state: false
    actions:
      - type: set-shield
        state: true

[kapilt]

thanks for the changes, lgtm