Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Tenancy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-025

Ensure that your Amazon EC2 instances are using the appropriate tenancy model, i.e. Multi-Tenant Hardware (shared) or Single-Tenant Hardware (dedicated) in order to comply with your organization regulatory requirements. Based on these tenancy models, AWS provides two types of instances: Shared Instances – which run on shared hardware where the isolation is logical and Dedicated Instances/Dedicated Hosts – which run in single-tenant hardware where the isolation is physical. Trend Cloud One™ – Conformity strongly recommends using Amazon EC2 Dedicated Instances or Dedicated Hosts if the regulatory and security requirements prohibit your organization data from being physically stored on shared hardware.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

Using the right tenancy model for your Amazon EC2 instances should reduce the concerns around security at the instance hypervisor level and promote better compliance.

Note: Not all EC2 instance types are eligible for the dedicated tenancy model. To verify if your instance type can be launched in a dedicated hardware environment, consult the official AWS documentation at https://aws.amazon.com/ec2/purchasing-options/dedicated-instances/


Audit

To determine the type of tenancy, shared or dedicated, used by your Amazon EC2 instances, perform the following actions:

Note: To determine if you have any Amazon EC2 Dedicated Hosts (physically isolated), choose Dedicated Hosts from the console navigation panel and check for any dedicated instances.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 In the Host and placement group section, check the Tenancy configuration attribute value to determine the instance tenancy type. If the attribute value is set to default, the selected Amazon EC2 instance is running on Multi-Tenant Hardware (logically isolated). If the Tenancy attribute value is set to dedicated, the selected EC2 instance is running on Single-Tenant Hardware (physically isolated at the host hardware level).

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom filtering to describe the type of tenancy used by the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].Placement.Tenancy[]'

04 The command output should return the type of the tenancy configured for the selected Amazon EC2 instance:

  1. If the command output returns "default", the selected EC2 instance is running on a Multi-Tenant Hardware (logically isolated):
    [
        "default"
    ]
    
  2. If the describe-instances command output returns "dedicated", the selected Amazon EC2 instance is running on a Single-Tenant Hardware (physically isolated):
    [
        "dedicated"
    ]
    
  3. If the command output returns "host", the selected EC2 instance is running on a Single-Tenant Hardware (physically isolated) that gives you full control over the instance placement at the host level:
    [
        "host"
    ]
    

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To relaunch (re-create) your existing Amazon EC2 instances with the appropriate tenancy, perform the following actions:

Note: You can launch or relaunch Dedicated Instances within both dedicated and non-dedicated Amazon VPCs by setting the instance tenancy type to "dedicated" during the launch process.

Using AWS CloudFormation

01 CloudFormation template (JSON). Set the "Tenancy" property to "default" to use the Default Tenancy model (logically isolated hardware environment), to "dedicated" to use the Dedicated Tenancy model (physically isolated hardware environment), or to "host" to use the Host Tenancy model (physically isolated hardware environment that provides full control over the instance placement at the host level):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Create EC2 instance with Default Tenancy",
    "Parameters":{
        "InstanceKeyName":{
            "Type":"AWS::EC2::KeyPair::KeyName",
            "Description":"The SSH key used to access the instance."
        },
        "InstanceSecurityGroup":{
            "Type":"AWS::EC2::SecurityGroup::Id",
            "Description":"The ID of the security group to use."
        }
    },
    "Resources":{
        "EncryptedEC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "ImageId":"ami-0abcd1234abcd1234",
            "InstanceType":"t2.micro",
            "KeyName":{
                "Ref":"InstanceKeyName"
            },
            "SubnetId":"subnet-abcd1234",
            "SecurityGroupIds":[
                {
                    "Ref":"InstanceSecurityGroup"
                }
            ],
            "BlockDeviceMappings":[
                {
                    "DeviceName":"/dev/xvda",
                    "Ebs":{
                        "VolumeSize":"50",
                        "VolumeType":"gp2"
                    }
                }
            ],
            "Tenancy":"default"
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Create EC2 instance with Default Tenancy
    Parameters:
        InstanceKeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: The SSH key used to access the instance.
        InstanceSecurityGroup:
        Type: AWS::EC2::SecurityGroup::Id
        Description: The ID of the security group to use.
    Resources:
        EncryptedEC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t2.micro
            KeyName:
            Ref: InstanceKeyName
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - Ref: InstanceSecurityGroup
            BlockDeviceMappings:
            - DeviceName: "/dev/xvda"
            Ebs:
                VolumeSize: '50'
                VolumeType: gp2
            Tenancy: default

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf). Set the tenancy property to "default" to use the Default Tenancy model, to "dedicated" to use the Dedicated Tenancy model, or to "host" to use the Host Tenancy model:

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "new-ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t2.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

    ebs_block_device {
        device_name = "/dev/xvda"
        volume_size = 50
        volume_type = "gp2"
    }

    tenancy = "default"

    lifecycle {
        ignore_changes = [ami]
    }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to re-create.

05 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.

06 On the Create image setup page, provide the following information:

  1. In the Image name box, enter a unique name for the new AMI.
  2. (Optional) In the Image description box, provide a short description that reflects the usage of the selected EC2 instance.
  3. Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
  4. (Optional) For Tags, choose Tag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
  5. Choose Create image to create your new AMI.

07 Once the new image is ready, use it to relaunch your Amazon EC2 instance with the correct tenancy type. On the Instances listing page, choose Launch instances and perform the following operations:

  1. For Step 1: Choose an Amazon Machine Image (AMI), choose My AMIs tab, and select the Amazon Machine Image (AMI) created at step no. 6.
  2. For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source instance). Choose Next: Configure Instance Details to continue the setup process.
  3. For Step 3: Configure Instance Details, perform the following actions:
    • From the Tenancy dropdown list, select one of the following tenancy types based on your requirements:
      • Shared: Run a shared hardware instance – to deploy the instance in a logically isolated hardware environment (Shared Instance). This is the default tenancy type used by most EC2 instances deployed in the AWS cloud.
      • Dedicated: Run a Dedicated instance – to deploy the instance in a physically isolated hardware environment (Dedicated Instance). This type of tenancy is used by a subset of instances that have special needs when it comes to security and compliance requirements.
      • Dedicated host: Launch this instance on a Dedicated host – to deploy the instance in a physically isolated hardware environment (Dedicated Host). An EC2 Dedicated Host gives you the same level of isolation as a Dedicated Instance but provides additional visibility and control over how instances are placed on the physical machine so you can consistently deploy your instances to the same physical environment over time.
    • Configure the network, identity management, behavior, and metadata settings. The new instance configuration must match the source instance configuration. Choose Next: Add Storage to continue the setup process.
  4. For Step 4: Add Storage, configure the storage device settings. Choose Next: Add Tags to set up the instance tags.
  5. For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new EC2 instance. You can track compute cost and other criteria by tagging your instance. Choose Configure Security Group to continue the setup process.
  6. For Step 6: Configure Security Group, choose Select an existing security group and select the security group(s) associated with the source Amazon EC2 instance. Choose Review and Launch to continue.
  7. For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
  8. In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new Amazon EC2 instance.
  9. Choose View Instances to return to the Instances page.

08 (Optional) After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source (non-compliant) instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:

  1. In the navigation panel, under Network & Security, select Elastic IPs.
  2. Select the Elastic IP address attached to the source instance, choose Actions, and select Disassociate Elastic IP address.
  3. In the Dissociate Elastic IP addressconfirmation box, review the EIP details, then choose Disassociate.
  4. Select the same IP address, choose Actions and select Associate Elastic IP address.
  5. In the Associate Elastic IP addressconfiguration box, perform the following:
    • For Resource type, choose Instance.
    • For Instance, select the ID of the newly created EC2 instance created at step no. 7.
    • Choose Associate to attach the Elastic IP.

09 (Optional) You can terminate the source Amazon EC2 instance in order to stop incurring charges for it. To shut down the instance, perform the following actions:

  1. In the navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to terminate.
  3. Choose Instance state and select Terminate instance.
  4. In the Terminate instance?confirmation box, review the instance details, then choose Terminate to shut down the selected EC2 instance.

10 Repeat steps no. 4 – 9 for each Amazon EC2 instance that you want to re-create, available within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information available for the Amazon EC2 instance that you want to re-create:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[]'

02 The command output should return an array with the requested configuration information:

[
    {
        "AmiLaunchIndex": 0,
        "ImageId": "ami-0abcd1234abcd1234",
        "InstanceId": "i-01234abcd1234abcd",
        "InstanceType": "t2.micro",
        "KeyName": "conformity",
        "LaunchTime": "2021-03-10T10:00:00+00:00",
        "Monitoring": {
            "State": "disabled"
        },
        "Placement": {
            "AvailabilityZone": "us-east-1a",
            "GroupName": "",
            "Tenancy": "dedicated"
        },
        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
        "PrivateIpAddress": "10.0.0.15",
        "ProductCodes": [],
        "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
        "PublicIpAddress": "10.0.1.20",
        "State": {
            "Code": 16,
            "Name": "running"
        },
        "StateTransitionReason": "",
        "SubnetId": "subnet-abcd1234",
        "VpcId": "vpc-1234abcd",
        "Architecture": "x86_64",
        "BlockDeviceMappings": [
            {
                "DeviceName": "/dev/xvda",
                "Ebs": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "DeleteOnTermination": true,
                    "Status": "attached",
                    "VolumeId": "vol-0abcd1234abcd1234"
                }
            }
        ],
        "ClientToken": "",
        "EbsOptimized": false,
        "EnaSupport": true,
        "Hypervisor": "xen",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
            "Id": "ABCDABCDABCDABCDABCDA"
        },
        "NetworkInterfaces": [
            {
                "Association": {
                    "IpOwnerId": "amazon",
                    "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                    "PublicIp": "10.0.1.20"
                },
                "Attachment": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "AttachmentId": "eni-attach-0abcd1234abcd1234",
                    "DeleteOnTermination": true,
                    "DeviceIndex": 0,
                    "Status": "attached",
                    "NetworkCardIndex": 0
                },
                "Description": "Primary network interface",
                "Groups": [
                    {
                        "GroupName": "cc-prod-security-group",
                        "GroupId": "sg-01234abcd1234abcd"
                    }
                ],
                "Ipv6Addresses": [],
                "MacAddress": "0e:53:19:7b:62:6b",
                "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                "OwnerId": "123456789012",
                "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                "PrivateIpAddress": "10.0.0.15",
                "PrivateIpAddresses": [
                    {
                        "Association": {
                            "IpOwnerId": "amazon",
                            "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                            "PublicIp": "10.0.1.20"
                        },
                        "Primary": true,
                        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                        "PrivateIpAddress": "10.0.0.15"
                    }
                ],
                "SourceDestCheck": true,
                "Status": "in-use",
                "SubnetId": "subnet-abcd1234",
                "VpcId": "vpc-1234abcd",
                "InterfaceType": "interface"
            }
        ],
        "RootDeviceName": "/dev/xvda",
        "RootDeviceType": "ebs",
        "SecurityGroups": [
            {
                "GroupName": "cc-prod-security-group",
                "GroupId": "sg-01234abcd1234abcd"
            }
        ],
        "SourceDestCheck": true,
        "VirtualizationType": "hvm",
        "CpuOptions": {
            "CoreCount": 2,
            "ThreadsPerCore": 4
        },
        "CapacityReservationSpecification": {
            "CapacityReservationPreference": "open"
        },
        "HibernationOptions": {
            "Configured": false
        },
        "MetadataOptions": {
            "State": "applied",
            "HttpTokens": "optional",
            "HttpPutResponseHopLimit": 1,
            "HttpEndpoint": "enabled"
        },
        "EnclaveOptions": {
            "Enabled": false
        }
    }
]

03 Run create-image command (OSX/Linux/UNIX) to create an image from the source Amazon EC2 instance described at the previous step. Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --name "Project5 EC2 Instance AMI"
  --description "Production Stack AMI ver. 1.8"
  --no-reboot

04 The command output should return the ID of the new Amazon Machine Image (AMI):

{
    "ImageId": "ami-0abcdabcdabcdabcd"
}

05 Execute run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created at the previous steps. Use the information returned at step no. 2 for the instance configuration parameters. Set the --placement parameter to Tenancy=default to use the Default Tenancy model (logically isolated hardware environment), Tenancy=dedicated to use the Dedicated Tenancy model (physically isolated hardware environment), and Tenancy=host to use the Host Tenancy model (physically isolated hardware environment that provides full control over the instance placement at the host level):

aws ec2 run-instances
  --region us-east-1
  --image-id ami-0abcdabcdabcdabcd
  --count 1
  --instance-type t2.micro
  --key-name conformity
  --security-group-ids sg-01234abcd1234abcd
  --iam-instance-profile Name="ec2-manager-role"
  --placement Tenancy=default

06 The command output should return the configuration metadata for the newly created EC2 instance:

{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-0abcdabcdabcdabcd",
            "InstanceId": "i-01234123412341234",
            "InstanceType": "t2.micro",
            "KeyName": "conformity.aws",
            "LaunchTime": "2021-03-22T17:29:43+00:00",
            "Monitoring": {
                "State": "disabled"
            },
            "Placement": {
                "AvailabilityZone": "us-east-1e",
                "GroupName": "",
                "Tenancy": "default"
            },
            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
            "PrivateIpAddress": "10.0.0.5",
            "ProductCodes": [],
            "PublicDnsName": "",
            "State": {
                "Code": 0,
                "Name": "pending"
            },
            "StateTransitionReason": "",
            "SubnetId": "subnet-abcdabcd",
            "VpcId": "vpc-1234abcd",
            "Architecture": "x86_64",
            "BlockDeviceMappings": [],
            "EbsOptimized": false,
            "EnaSupport": true,
            "Hypervisor": "xen",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
                "Id": "ABCDABCDABCDABCDABCD"
            },
            "NetworkInterfaces": [
                {
                    "Attachment": {
                        "AttachTime": "2021-03-22T17:29:43+00:00",
                        "AttachmentId": "eni-attach-0abcd1234abcd1234",
                        "DeleteOnTermination": true,
                        "DeviceIndex": 0,
                        "Status": "attaching",
                        "NetworkCardIndex": 0
                    },
                    "Description": "",
                    "Groups": [
                        {
                            "GroupName": "cc-prod-security-group",
                            "GroupId": "sg-01234abcd1234abcd"
                        }
                    ],
                    "Ipv6Addresses": [],
                    "MacAddress": "06:00:c7:12:51:99",
                    "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                    "OwnerId": "123456789012",
                    "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                    "PrivateIpAddress": "10.0.0.5",
                    "PrivateIpAddresses": [
                        {
                            "Primary": true,
                            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                            "PrivateIpAddress": "10.0.0.5"
                        }
                    ],
                    "SourceDestCheck": true,
                    "Status": "in-use",
                    "SubnetId": "subnet-abcdabcd",
                    "VpcId": "vpc-1234abcd",
                    "InterfaceType": "interface"
                }
            ],
            "RootDeviceName": "/dev/xvda",
            "RootDeviceType": "ebs",
            "SecurityGroups": [
                {
                    "GroupName": "cc-prod-security-group",
                    "GroupId": "sg-01234abcd1234abcd"
                }
            ],
            "SourceDestCheck": true,
            "StateReason": {
                "Code": "pending",
                "Message": "pending"
            },
            "VirtualizationType": "hvm",
            "HibernationOptions": {
                "Configured": true
            },
            "CpuOptions": {
                "CoreCount": 1,
                "ThreadsPerCore": 1
            },
            "CapacityReservationSpecification": {
                "CapacityReservationPreference": "open"
            },
            "MetadataOptions": {
                "State": "pending",
                "HttpTokens": "optional",
                "HttpPutResponseHopLimit": 1,
                "HttpEndpoint": "enabled"
            },
            "EnclaveOptions": {
                "Enabled": false
            }
        }
    ],
    "OwnerId": "123456789012",
    "ReservationId": "r-0abcd1234abcd1234"
}

07 (Optional) After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source (non-compliant) instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following commands:

08 Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source, non-compliant Amazon EC2 instance (the command does not produce an output):

aws ec2 disassociate-address
  --association-id eipassoc-0abcd1234abcd1234

09 Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:

aws ec2 associate-address
  --instance-id i-01234123412341234
  --allocation-id eipalloc-0abcd1234abcd1234

10 The command output should return the EIP association ID:

{
    "AssociationId": "eipassoc-01234abcd1234abcd"
}

11 (Optional) You can terminate the source (non-compliant) EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) using the source instance ID as the identifier parameter:

aws ec2 terminate-instances
  --instance-ids i-01234abcd1234abcd

12 The output should return the terminate-instances command request metadata:

{
    "TerminatingInstances": [
        {
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "InstanceId": "i-01234abcd1234abcd",
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

13 Repeat steps no. 1 – 9 for each Amazon EC2 instance that you want to re-create, available in the selected AWS cloud region.

14 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 14, 2016