Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Desired Instance Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-017

Determine if your Amazon EC2 instances have the desired instance type(s) established by your organization based on the workload deployed. The desired instance type(s) must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the instance type(s) of the Amazon EC2 instances provisioned in your AWS cloud account can help you to manage better your compute power, address internal compliance requirements, and prevent unexpected charges on your AWS bill.


Audit

To determine if all your Amazon EC2 instances have the desired type(s), perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Desired Instance Type(s) conformity rule settings and identify the desired instance type(s) configured for EC2 instances.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Instances, choose Instances.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Details tab from the console bottom panel to access the instance configuration details.

07 In the Instance summary section, check the Instance type configuration attribute value to determine the instance type. If the instance type is different than the one(s) allowed by your organization and identified at step no. 1, the selected Amazon EC2 instance was not launched using the desired instance type.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Desired Instance Type(s) conformity rule settings and identify the desired instance type(s) configured for EC2 instances.

02 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

04 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom filtering to describe the instance type used by the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].InstanceType[]'

05 The command output should return the instance type configured for the selected EC2 instance:

[
	"m5.2xlarge"
]

Compare the instance type returned by the describe-instances command output with the one(s) allowed by your organization, identified at step no. 1. If the verified instance type is not listed in the conformity rule configuration settings, the selected Amazon EC2 instance is not using the desired instance type.

06 Repeat steps no. 4 and 5 for each Amazon EC2 instance available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To ensure that the creation of your Amazon EC2 instances is limited to the desired instance type(s) only, perform the following operations:

Note: Creating a support case to request instance type limitations using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following operations:

  1. Select Account and billing support option.
  2. Select Account from the Type dropdown list.
  3. Select Other Account Issues from the Category dropdown list.
  4. Provide the request subject in the Subject box, e.g. "Limit the creation of Amazon EC2 instances to specific instance type(s) only".
  5. For Description, provide a concise description where you list the desired instance types and explain why you need to deny the creation of Amazon EC2 instances with unwanted instance types (e.g. for compliance purposes). This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly.

References

Publication date Jun 23, 2016