Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Too Old

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-022

Identify and restart any running Amazon EC2 instances older than 180 days in order to ensure their reliability. An Amazon EC2 instance is not supposed to run indefinitely in the cloud and having too old instances within your AWS cloud account could increase the risk of potential issues.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability

Stopping and restarting your old Amazon EC2 instances will reallocate them to different and possibly more reliable underlying hardware (host machine).

Audit

To determine if you have old Amazon EC2 instances running in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Click inside the Filter instances box located under the console top menu, choose Instance state, and select running. This filtering technique will return only the EC2 instances in the running state.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Details tab from the console bottom panel to access the instance configuration details.

07 In the Instance details section, check the Launch time attribute value to determine the active age of the verified instance. If the age of the selected Amazon EC2 instance is greater than 180 days, the EC2 instance needs to be restarted.

08 Repeat steps no. 5 – 7 for each running instance available within the current AWS cloud region.

09 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with predefined query filters to list the IDs of the running Amazon EC2 instances available in the selected AWS cloud region: 

aws ec2 describe-instances
  --region us-east-1
  --filters Name=instance-state-name,Values=running
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the launch date for the selected EC2 instance: 

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].LaunchTime[]'

04 The command output should return the instance launch date in human readable format: 

[
	"2020-03-25T10:45:00+00:00"
]

Check the date/time returned by the describe-instances command output to determine the active age of the verified instance. If the age of the selected Amazon EC2 instance is greater than 180 days, the EC2 instance needs to be restarted.

05 Repeat steps no. 3 and 4 for each running instance available in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To safely restart the old Amazon instances running within your AWS cloud account, perform the following operations:

Note: This conformity rule assumes that your old Amazon EC2 instances are associated with Elastic IPs (EIPs). If your old instances do not have Elastic IPs attached, you will have to update their public IP reference(s) in your cloud application or within the DNS zone file after you restart the EC2 instances.

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_instance" "aws-ec2-old-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t3.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]
	associate_public_ip_address = false

}

resource "null_resource" "restart-old-instance" {

	provisioner "local-exec" {
	on_failure  = "fail"
	interpreter = ["/bin/bash", "-c"]
	command     = <<EOT
		echo -e "Warning! Restarting old EC2 instance."
		aws ec2 stop-instances --instance-ids ${aws_instance.aws-ec2-old-instance.id} --profile default
		aws ec2 start-instances --instance-ids ${aws_instance.aws-ec2-old-instance.id} --profile default
		echo "Restarted"
		EOT
	}

	triggers = {
		always_run = timestamp()
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to restart. IMPORTANT: The following process assumes that the Amazon EC2 instance selected for restart is NOT currently used in production or for critical operations.

05 Click on the Instance state dropdown button from the console top menu and select Stop instance.

06 In the Stop instance? confirmation box, review the instance details, then choose Stop.

07 Choose again the Instance state dropdown button from the console top menu and select Start instance. Once the boot sequence is complete, the status of the selected Amazon EC2 instance should change from Pending to Running(this may take a few minutes).

08 Repeat steps no. 4 – 7 to restart any other old Amazon EC2 instances available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) to stop the old Amazon EC2 instance that you want to restart:
IMPORTANT: The following process assumes that the Amazon EC2 instance selected for restart is NOT currently used in production or for critical operations. 

aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

02 The output should return the stop-instances command request metadata: 

{
	"StoppingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 64,
				"Name": "stopping"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

03 Run start-instances command (OSX/Linux/UNIX) to restart the specified Amazon EC2 instance (it may take a few minutes until the instance enters the running state): 

aws ec2 start-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

04 The output should return the start-instances command request metadata: 

{
	"StartingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 0,
				"Name": "pending"
			},
			"PreviousState": {
				"Code": 80,
				"Name": "stopped"
			}
		}
	]
}

05 Repeat steps no. 1 – 4 to restart any other old Amazon EC2 instances available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 3, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Instance Too Old

Risk Level: Low