Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-018

Determine if the number of Amazon EC2 instances provisioned in your AWS cloud account has reached the limit quota established by your organization for the workload deployed. By default, Trend Cloud One™ – Conformity sets a threshold value of 50 for the maximum number of provisioned EC2 instances, however, you have the capability to adjust this threshold based on your internal requirements upon enabling this rule.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Monitoring and setting limits for the maximum number of Amazon EC2 instances provisioned in your AWS cloud account will help you to better manage your compute power and prevent unexpected charges on your AWS bill in case of auto-scaling misconfiguration or large DDOS attacks.

Note: The threshold for the maximum number of EC2 instances per AWS account set for this conformity rule is 50 (default value).


Audit

To determine the total number of Amazon EC2 instances available in your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Check the total number of Amazon EC2 instances available within the current AWS cloud region, listed in the top-left section of the console, i.e. Instances (<number-of-instances>).

05 Change the AWS cloud region from the navigation bar and repeat step no. 4 for all other regions. If the total number of Amazon EC2 instances across all AWS regions is greater than 50, the default (recommended) threshold was exceeded, therefore you must take action and create an AWS support case to limit the number of EC2 instances based on your workload requirements.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
|          ...          |
|  i-01234123412341234  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

Each table row returned by the describe-instances command output represents an individual EC2 instance. Identify the total number of Amazon EC2 instances listed in the command output.

03 Change the AWS cloud region by updating the --region command parameter and repeat steps no. 1 and 2 for all other regions. If the total number of Amazon EC2 instances across all AWS regions is greater than 50, the default (recommended) threshold was exceeded, therefore you must take action and create an AWS support case to limit the number of EC2 instances based on your workload requirements.

Remediation / Resolution

To request AWS to limit the number of Amazon EC2 instances that you can launch within your AWS cloud account, perform the following actions:

Note: Creating a support case to request a limit for the number of EC2 instances using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following operations:

  1. Select the Service limit increase option.
  2. Choose EC2 Instances from the Limit type dropdown list.
  3. In the Request <number> section, perform the following:
    • Select the AWS region where the EC2 instance limit is required from the Region dropdown list.
    • Select the appropriate instance class from the Primary Instance Type dropdown list.
    • Select Instance Limit from the Limit dropdown list.
    • In the New limit value box, enter the new EC2 instance limit to request for the selected instance class.
  4. To limit the number of Amazon EC2 instances for other instance types, choose Add another request to add as many requests as needed.
  5. For Case Description, provide a concise description where you provide the reason for the EC2 instance limit request. This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly.

References

Publication date Jun 23, 2016