Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Tenancy

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-025

Ensure that your Amazon EC2 instances are using the appropriate tenancy model, i.e., Multi-Tenant Hardware (shared) or Single-Tenant Hardware (dedicated) in order to comply with your organization regulatory requirements. Based on these tenancy models, AWS provides two types of instances: Shared Instances – which run on shared hardware where the isolation is logical, and Dedicated Instances/Dedicated Hosts – which run in single-tenant hardware where the isolation is physical. Trend Cloud One™ – Conformity recommends using Amazon EC2 Dedicated Instances or Dedicated Hosts if the regulatory and security requirements prohibit your organization data from being physically stored on shared hardware.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

Using the right tenancy model for your Amazon EC2 instances should reduce the concerns around security at the instance hypervisor level and promote better compliance.

Note: Not all EC2 instance types are eligible for the dedicated tenancy model. To verify if your instance type can be launched in a dedicated hardware environment, consult the official AWS documentation.

Audit

To determine the type of tenancy, shared or dedicated, used by your Amazon EC2 instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console split panel to access the instance configuration information.

06 In the Host and placement group section, check the Tenancy configuration attribute value to determine the tenancy type for the selected instance. If the attribute value is set to default, the selected EC2 instance is running on Multi-Tenant Hardware (logically isolated). If the Tenancy value is set to dedicated, the selected EC2 instance is running on Single-Tenant Hardware (physically isolated at the host hardware level).

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS cloud region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom output filters to describe the type of tenancy used by the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[*].Placement.Tenancy[]'

04 The command output should return the type of the tenancy configured for the selected EC2 instance:

  1. If the command output returns "default", the selected EC2 instance is running on a Multi-Tenant Hardware (logically isolated): 
    [
	"default"
]
  2. If the describe-instances command output returns "dedicated", the selected Amazon EC2 instance is running on a Single-Tenant Hardware (physically isolated): 
    [
	"dedicated"
]
  3. If the command output returns "host", the selected EC2 instance is running on a Single-Tenant Hardware (physically isolated) that gives you full control over the instance placement at the host level: 
    [
	"host"
]

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To relaunch (re-create) your existing Amazon EC2 instances with the appropriate tenancy, perform the following operations:

Note: You can launch or relaunch Dedicated Instances within both dedicated and non-dedicated Amazon VPCs by setting the instance tenancy type to dedicated during the launch process.

Using AWS CloudFormation

01 CloudFormation template (JSON). Set the "Tenancy" property to "default" to use the Default Tenancy model (logically isolated hardware environment), to "dedicated" to use the Dedicated Tenancy model (physically isolated hardware environment), or to "host" to use the Host Tenancy model (physically isolated hardware environment that provides full control over the instance placement at the host level): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Create EC2 instance with Default Tenancy",
	"Parameters":{
		"InstanceKeyName":{
			"Type":"AWS::EC2::KeyPair::KeyName",
			"Description":"The SSH key used to access the instance."
		},
		"InstanceSecurityGroup":{
			"Type":"AWS::EC2::SecurityGroup::Id",
			"Description":"The ID of the security group to use."
		}
	},
	"Resources":{
		"EncryptedEC2Instance":{
			"Type":"AWS::EC2::Instance",
			"Properties":{
			"ImageId":"ami-0abcd1234abcd1234",
			"InstanceType":"t2.micro",
			"KeyName":{
				"Ref":"InstanceKeyName"
			},
			"SubnetId":"subnet-abcd1234",
			"SecurityGroupIds":[
				{
					"Ref":"InstanceSecurityGroup"
				}
			],
			"BlockDeviceMappings":[
				{
					"DeviceName":"/dev/xvda",
					"Ebs":{
						"VolumeSize":"50",
						"VolumeType":"gp2"
					}
				}
			],
			"Tenancy":"default"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Create EC2 instance with Default Tenancy
	Parameters:
		InstanceKeyName:
		Type: AWS::EC2::KeyPair::KeyName
		Description: The SSH key used to access the instance.
		InstanceSecurityGroup:
		Type: AWS::EC2::SecurityGroup::Id
		Description: The ID of the security group to use.
	Resources:
		EncryptedEC2Instance:
		Type: AWS::EC2::Instance
		Properties:
			ImageId: ami-0abcd1234abcd1234
			InstanceType: t2.micro
			KeyName:
			Ref: InstanceKeyName
			SubnetId: subnet-abcd1234
			SecurityGroupIds:
			- Ref: InstanceSecurityGroup
			BlockDeviceMappings:
			- DeviceName: "/dev/xvda"
			Ebs:
				VolumeSize: '50'
				VolumeType: gp2
			Tenancy: default

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf). Set the tenancy property to "default" to use the Default Tenancy model, to "dedicated" to use the Dedicated Tenancy model, or to "host" to use the Host Tenancy model: 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_instance" "new-ec2-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t2.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 50
		volume_type = "gp2"
	}

	tenancy = "default"

	lifecycle {
		ignore_changes = [ami]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to re-create.

05 Choose Actions from the top-right menu, select Image and templates, and choose Create image.

06 On the Create image setup page, provide the following information:

  1. For Image name, type a unique name for your new Amazon Machine Image (AMI).
  2. (Optional) For Image description - optional, provide a short description that reflects the usage of the selected EC2 instance.
  3. Select the Reboot instance setting checkbox to ensure data consistency. When this option is selected, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken.
  4. (Optional) For Tags - optional, choose Tag image and snapshots together, and use the Add new tag button to create and apply user-defined tags to the new image. Tags can be used to search and filter your cloud resources or track your AWS costs.
  5. Choose Create image to create your new AMI.

07 In the left navigation panel, under Images, select AMIs, and check the Status column to determine the state of your new AMI. Once the Status is set to Available, the image is ready to be used to relaunch your Amazon EC2 instance with the correct tenancy type.

08 In the left navigation panel, under Instances, select Instances, choose Launch instances, and perform the following actions to launch your new EC2 instance:

  1. For Name and tags, provide a name tag for your instance in the Name box. (Optional) Choose Add additional tags to apply user-defined tags to your new EC2 instance. You can track compute cost and other criteria by tagging your instance.
  2. For Application and OS Images (Amazon Machine Image), select My AMIs tab, choose Owned by me, and select the name of the AMI created in step no. 6 from the Amazon Machine Image (AMI) dropdown list.
  3. For Instance type, select the required instance type from the Instance type dropdown list (must match the hardware configuration of the source instance).
  4. For Key pair (login), you can select the same key pair as the source instance from the Key pair name - required dropdown list or choose Create new key pair to create a new key pair for your instance.
  5. For Network settings, choose Select existing security group under Firewall (security groups), and select the appropriate security group(s) from the Common security groups dropdown list (must match the security group configuration of the source instance). If you need to change the VPC network settings, choose Edit, and make sure the network settings align with the source instance settings.
  6. For Configure storage, configure the storage device settings (must match the storage configuration of the source instance).
  7. For Advanced details, configure the advanced settings supported by your EC2 instance. For Tenancy, choose one of the following tenancy types based on your requirements:
    1. Select Shared - run a shared hardware instance to deploy the instance in a logically isolated hardware environment (i.e., Shared Instance). This is the default tenancy type used by most EC2 instances deployed in the AWS cloud.
    2. Select Dedicated - run a dedicated instance to deploy the instance in a physically isolated hardware environment (i.e., Dedicated Instance). This type of tenancy is used by a subset of instances that have special needs when it comes to security and compliance requirements.
    3. Select Dedicated host - launch this instance on a dedicated Host to deploy the instance in a physically isolated hardware environment (i.e., Dedicated Host). An EC2 Dedicated Host gives you the same level of isolation as a Dedicated Instance but provides additional visibility and control over how instances are placed on the physical machine so you can consistently deploy your instances to the same physical environment over time.
  8. For Summary, review the instance details, and choose Launch instance to deploy your new, compliant Amazon EC2 instance.
  9. Choose View all instances to view your new EC2 instance. Once the Instance State is set to Running, your new instance is ready to use.

09 (Optional) To stop incurring any charges for your non-compliant (source) instance, you must terminate it. To shut down the instance, perform the following actions:

  1. In the left navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to terminate.
  3. Choose Instance state and select Terminate (delete) instance.
  4. In the Terminate (delete) instance confirmation box, review the instance details, then choose Terminate (delete) to terminate the selected EC2 instance.

10 Repeat steps no. 2 – 9 for each Amazon EC2 instance that you want to re-create, available within the current AWS cloud region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information for the Amazon EC2 instance that you want to re-create (i.e., source instance): 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[]'

02 The command output should return the configuration information necessary for re-creating your Amazon EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [
			{
				"DeviceName": "/dev/xvda",
				"Ebs": {
					"AttachTime": "2025-07-01T11:00:32+00:00",
					"DeleteOnTermination": true,
					"Status": "attached",
					"VolumeId": "vol-0abcd1234abcd1234"
				}
			}
		],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Association": {
					"IpOwnerId": "amazon",
					"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
					"PublicIp": "xxx.xxx.xxx.xxx"
				},
				"Attachment": {
					"AttachTime": "2025-07-01T11:00:31+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attached",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
				"PrivateIpAddress": "172.10.20.30",
				"PrivateIpAddresses": [
					{
						"Association": {
							"IpOwnerId": "amazon",
							"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
							"PublicIp": "xxx.xxx.xxx.xxx"
						},
						"Primary": true,
						"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
						"PrivateIpAddress": "172.10.20.30"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"HibernationOptions": {
			"Configured": false
		},
		"MetadataOptions": {
			"State": "applied",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PlatformDetails": "Linux/UNIX",
		"UsageOperation": "RunInstances",
		"UsageOperationUpdateTime": "2025-07-01T11:00:31+00:00",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": true,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"NetworkPerformanceOptions": {
			"BandwidthWeighting": "default"
		},
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-01234abcd1234abcd",
		"ImageId": "ami-0abcd1234abcd1234",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
		"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T10:01:31+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.10.20.30",
		"PublicIpAddress": "xxx.xxx.xxx.xxx"
	}
]

03 Run create-image command (OSX/Linux/UNIX) to create an Amazon Machine Image (AMI) from the source Amazon EC2 instance described in the previous step. Include the --no-reboot command parameter to ensure data consistency. When this parameter is included, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken: 

aws ec2 create-image
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--name "Project5 Prod Instance AMI"
	--description "Production Stack AMI version 2.0"
	--no-reboot

04 The command output should return the ID of the new Amazon Machine Image (AMI): 

{
	"ImageId": "ami-0abcdabcdabcdabcd"
}

05 Perform run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created in the previous steps. Use the information returned in step no. 2 to configure your new EC2 instance. Set the --placement parameter to: Tenancy=default - to use the Default Tenancy model (i.e., logically isolated hardware environment), Tenancy=dedicated - to use the Dedicated Tenancy model (i.e., physically isolated hardware environment), or Tenancy=host - to use the Host Tenancy model (physically isolated hardware environment that provides full control over the instance placement at the host level): 

aws ec2 run-instances
	--region us-east-1
	--image-id ami-0abcdabcdabcdabcd
	--count 1
	--instance-type t2.micro
	--key-name cc-project5-ssh-key
	--security-group-ids sg-0abcd1234abcd1234
	--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=cc-project5-prod-instance}]'
	--placement Tenancy=default
	--query 'Instances[]'

06 The command output should return the configuration information for the newly created EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Attachment": {
					"AttachTime": "2025-07-01T11:50:48+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attaching",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
				"PrivateIpAddress": "172.20.30.40",
				"PrivateIpAddresses": [
					{
						"Primary": true,
						"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
						"PrivateIpAddress": "172.20.30.40"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"StateReason": {
			"Code": "pending",
			"Message": "pending"
		},
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"MetadataOptions": {
			"State": "pending",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": false,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-0abcd1234abcd1234",
		"ImageId": "ami-0abcdabcdabcdabcd",
		"State": {
			"Code": 0,
			"Name": "pending"
		},
		"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
		"PublicDnsName": "",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T11:50:48+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.20.30.40"
	}
]

07 (Optional) You can terminate the source (non-compliant) EC2 instance in order to stop incurring charges for it. To shut down the instance, run **terminate-instances** command (OSX/Linux/UNIX) with the source instance ID as the identifier parameter: 

aws ec2 terminate-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

08 The output should return the **terminate-instances** command request information: 

{
	"TerminatingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 32,
				"Name": "shutting-down"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

09 Repeat steps no. 1 – 8 for each Amazon EC2 instance that you want to re-create, available in the selected AWS cloud region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 14, 2016

Related EC2 rules