We had a situation recently where an elastic IP address assigned to a production server mysteriously became disassociated from that server. We have had this same thing happen in the past to other (fortunately, non-production) servers. We have several admins in the console, but no one is owning up to the mistake. Is there some way to audit AWS console activities?
No. If you need auditing, you'll likely need to wrap your own frontend around the AWS APIs. If you have paid support AWS may be able to look at their internal logs, I don't know.
One thing to note is that a non-VPC EC2 instance that's stopped will lose its EIP. VPC instances retain their association (and their internal IP, too) during stoppages.
I haven't used the service yet, but it looks like there's a service called CloudTrail for logging AWS API activity:
With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
Depending on your region, I agree with forforf and would recommend checking out CloudTrail. You might also want to review your current security posture within AWS as a whole.
We ran into the same issue with more than 20 admins in AWS. There were way too many cooks in the kitchen. We then decided to give SU access to our 2 enterprise architects, and then segmented access in IAM based on the admins role. Dev, Operations, Engineering, Security, etc. That way if there was a change made, we could at least figure out who made the change between 1-2 people, instead of 20..
Also we implemented Chef as well, which helped with audits, etc. Depends on your environment, needs, etc. though.
For your situation-if it was me...I would gather the IPs of all my instances and click on Elastic Network Interfaces in the AWS console. Search for ENIs via those IP addresses. Click on each ENI and change the termination behavior on termination to False. Then go into IAM and deny permissions for EIP attachment and detachment to multiple admins.
I would also enable termination protection for each instance. If your in a VPC environment any EIP associated or internal IP for that matter will not change upon instance stop or restart...if the instance is in ec2 classic it will.