Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Generation

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-029

Ensure that all your Amazon EC2 instances are using the latest generation of instance types in order to get the best performance with lower costs.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency
Cost
optimisation

Using the current (latest) generation of EC2 instance types instead of the previous generation has multiple advantages such as better hardware performance (faster CPUs, increased memory and network throughput), better virtualization technology (HVM), and lower costs.

Audit

To determine if there are any Amazon EC2 instances from the previous generation running within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console split panel to access the instance configuration information.

06 In the Instance summary section, check the Instance type configuration attribute value to determine if the chosen instance type is from the previous generation. If the instance type is from the previous generation, the instance type configured for the selected Amazon EC2 instance should be upgraded to the latest generation.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom filtering to describe the instance type used by the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[*].InstanceType[]'

04 The command output should return the instance type configured for the selected instance: 

[
	"c3.large"
]

Compare the instance type returned by the describe-instances command output with the instance types from the previous generation. If the instance type is from the previous generation, the instance type configured for the selected Amazon EC2 instance should be upgraded to the latest generation.

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To upgrade your previous generation Amazon EC2 instances to their latest generation equivalents, perform the following operations:

IMPORTANT: The following procedure assumes that the Amazon EC2 instances selected for upgrade are not currently used in production or for critical operations.

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Change EC2 instance type (new generation type)",
    "Resources":{
        "NewGenerationInstance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "InstanceType":"c5.large",
            "ImageId":"ami-0abcd1234abcd1234",
            "KeyName":"ssh-key",
            "SubnetId":"subnet-1234abcd",
            "SecurityGroupIds":[ "sg-01234abcd1234abcd"],
            "BlockDeviceMappings":[
                {
                    "DeviceName":"/dev/xvda",
                    "Ebs":{
                        "VolumeSize":"30",
                        "VolumeType":"gp2"
                    }
                }
            ]
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
    Description: Change EC2 instance type (new generation type)
    Resources:
        NewGenerationInstance:
        Type: AWS::EC2::Instance
        Properties:
            InstanceType: c5.large
            ImageId: ami-0abcd1234abcd1234
            KeyName: ssh-key
            SubnetId: subnet-1234abcd
            SecurityGroupIds:
            - sg-01234abcd1234abcd
            BlockDeviceMappings:
            - DeviceName: "/dev/xvda"
            Ebs:
                VolumeSize: '30'
                VolumeType: gp2

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "new-generation-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "c5.large"

    lifecycle {
        ignore_changes = [ami]
    }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to configure (upgrade).

05 Choose Instance state and select Stop instance.

06 In the Stop instance confirmation box, review the instance details, then choose Stop to stop the selected EC2 instance.

07 Once the instance is stopped (i.e., Instance State is set to Stopped), choose Actions, select Instance settings, and choose Change instance type.

08 On the Change instance type configuration page, select the equivalent latest generation instance type from the New instance type dropdown list, review the Instance type comparison tabel for comparison, and choose Change instance type to resize (upgrade) the selected Amazon EC2 instance. If the equivalent latest generation instance type is not available in the New instance type dropdown list, the recommended latest generation instance type is not compatible with your instance configuration. Use the Instance type comparison tabel to check for the equivalent instance type.

09 Choose Instance state and select Start instance. Once the boot sequence is complete, the Amazon EC2 instance status should change from Pending to Running.

10 Repeat steps no. 4 – 9 for each Amazon EC2 instance that you want to upgrade, available within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) to stop the Amazon EC2 instance that you want to configure: 

aws ec2 stop-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

02 The output should return the **stop-instances** command request information: 

{
	"StoppingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 64,
				"Name": "stopping"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

03 Run modify-instance-attribute command (OSX/Linux/UNIX) to change (upgrade) the instance type for your previous generation Amazon EC2 instance. As an example, the following command changes the instance type for an EC2 instance, identified by the ID i-01234abcd1234abcd, from c3.large (previous generation) to c5.large (latest generation). If successful, the command request does not produce an output: 

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--instance-type "{\"Value\": \"c5.large\"}"

04 Run start-instances command (OSX/Linux/UNIX) to restart the configured (upgraded) Amazon EC2 instance. It may take few minutes until the instance enters the running state: 

aws ec2 start-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

05 The output should return the start-instances command request information: 

{
	"StartingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 0,
				"Name": "pending"
			},
			"PreviousState": {
				"Code": 80,
				"Name": "stopped"
			}
		}
	]
}

06 Repeat steps no. 1 – 5 for each Amazon EC2 instance that you want to upgrade, available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 20, 2016

Related EC2 rules