Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Idle EC2 Instance

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC2-047

Identify any Amazon EC2 instances that appear to be idle and stop or terminate them to help lower the cost of your AWS bill. By default, an Amazon EC2 instance is considered "idle" when meets the following criteria (to declare the instance "idle" both conditions must be true):

  • The average CPU Utilization has been less than 2% for the last 7 days.
  • The average Network I/O has been less than 5 MB for the last 7 days.
Note 1: For this rule, Trend Micro Cloud One™ – Conformity assumes that your Amazon EC2 instances are tagged with "Role" and "Owner" tags which provide visibility into their usage profile and help you decide whether it's safe or not to stop or terminate these resources. Knowing the role and the owner of an Amazon EC2 instance before you take the decision to stop/terminate the resource is very important because, for example, a CPU utilization less than 2% for a 48-hour period could mean that the instance is being idle or not being used at all.

Note 2: You can change the default threshold for this rule on the Conformity account console and set your own values for CPU and Network I/O usage, and the preferred number of days for each condition in order to configure the idleness. The Conformity console also provides information about each Amazon EC2 instance marked as idle such as region, ID, instance type, launch time, operating system, tags and more to help you decide whether to stop or terminate the instance.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Idle instances represent a good candidate to reduce your Amazon EC2 service costs and avoid accumulating unnecessary Amazon EC2 charges.

Audit

To identify idle Amazon EC2 instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Monitoring tab from the console bottom panel to access the instance monitoring details.

06 On the Monitoring panel, perform the following actions:

  1. Select the CPU utilization (%) graph, click on the 3-dot menu, and choose View in metrics to open the CPU utilization dashboard for the selected instance. On the CPU utilization (%) dashboard, configure the following parameters:
    • Select 1w (1 week) from the time range top-right menu.
    • Select the Graphed metrics tab, set Statistic to Average, and Period to 1 Hour. Once the monitoring data is loaded, check the instance CPU utilization for the last 7 days. If the average usage has been less than 2%, selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.
  2. Select the Network in (bytes) graph, click on the 3-dot menu, and choose View in metrics to open the incoming network traffic dashboard for the selected instance. On the Network in (bytes) dashboard, configure the following parameters:
    • Select 1w (1 week) from the time range top-right menu.
    • Select the Graphed metrics tab, set Statistic to Average, and Period to 1 Hour. Once the monitoring data is loaded, check the incoming network traffic for the last 7 days. If the average incoming traffic has been less than 5 MB, selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.
  3. Select the Network out (bytes) graph, click on the 3-dot menu, and choose View in metrics to open the outgoing network traffic dashboard for the selected instance. On the Network out (bytes) dashboard, configure the following parameters:
    • Select 1w (1 week) from the time range top-right menu.
    • Select the Graphed metrics tab, set Statistic to Average, and Period to 1 Hour. Once the monitoring data is loaded, check the outgoing network traffic for the last 7 days. If the average outgoing traffic has been less than 5 MB, selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.

07 To determine the Amazon EC2 instance role within your application stack and identify its owner by checking the Role and Owner tags assigned to the selected instance in order to decide whether it's safe or not to stop/terminate the resource, perform the following actions:

  1. Choose the Monitoring tab from the console bottom panel to access the instance tags.
  2. Check the Role tag value, available in the Value column, or any Role-like tag value(s) that can provide information about the usage profile of the selected instance in order to decide whether the Amazon EC2 resource can be stopped or terminated.
  3. Check the Owner tag value, available in the Value column, or any Owner-like tag value(s) that can provide the contact information of the resource owner (owner name, email, phone number) in order to decide whether the EC2 resource can be stopped or terminated.

08 If all the conditions presented at step no. 6 and 7 are met, the selected Amazon EC2 instance is considered "idle" and can be stopped or terminated in order to stop incurring charges for that resource.

09 Repeat steps no. 4 – 7 for each Amazon EC2 instance available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the active Amazon EC2 instances available in the selected AWS cloud region: 

aws ec2 describe-instances
  --region us-east-1
  --filters Name=instance-state-name,Values=running
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the utilization data recorded by Amazon CloudWatch for the CPUUtilization metric, representing the CPU usage of the selected Amazon EC2 instance. Change the --start-time (start recording date) and --end-time (stop recording date) parameters values to choose your own time frame for recording the instance CPU usage. Configure the --periodparameter value to define the granularity (in seconds) of the returned datapoints. A period can be as short as one minute (60 seconds) or as long as one day (86400 seconds). The following command example returns the average CPU usage of an Amazon EC2 instance identified by the ID i-01234abcd1234abcd, usage data captured over a period of 7 days (set by the--start-time and --end-time command parameters), using 1-hour period as the granularity for the returned datapoints (set by the --period parameter): 

aws cloudwatch get-metric-statistics
  --region us-east-1
  --metric-name CPUUtilization
  --start-time 2016-10-04T13:16:00
  --end-time 2016-10-11T13:16:00
  --period 3600
  --namespace AWS/EC2
  --statistics Average
  --dimensions Name=InstanceId,Value=i-01234abcd1234abcd

04 The command output should return the CPU usage details requested: 

{
	"Datapoints": [
		{
			"Timestamp": "2016-10-04T13:16:00Z",
			"Average": 0.2085,
			"Unit": "Percent"
		},
		{
			"Timestamp": "2016-10-04T14:16:00Z",
			"Average": 0.033499999999999995,
			"Unit": "Percent"
		},
		{
			"Timestamp": "2016-10-04T15:16:00Z",
			"Average": 0.10425,
			"Unit": "Percent"
		},

		...

		{
			"Timestamp": "2016-10-11T10:16:00Z",
			"Average": 0.030999999999999993,
			"Unit": "Percent"
		},
		{
			"Timestamp": "2016-10-11T11:16:00Z",
			"Average": 0.02833333333333333,
			"Unit": "Percent"
		},
		{
			"Timestamp": "2016-10-11T12:16:00Z",
			"Average": 0.02783333333333333,
			"Unit": "Percent"
		}
	],
	"Label": "CPUUtilization"
}

If the average CPU usage data returned is less than 2%, the selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.

05 Run get-metric-statistics command (OSX/Linux/UNIX) to get the utilization data recorded for the NetworkIn metric, representing the incoming network traffic for the selected Amazon EC2 instance. The following command example returns the average incoming network traffic received by an Amazon EC2 instance identified by the ID i-01234abcd1234abcd, usage data captured over a period of 7 days (set by the --start-time and --end-time parameters), using 1-hour period as the granularity for the returned datapoints (set by the --period parameter): 

aws cloudwatch get-metric-statistics
  --region us-east-1
  --metric-name NetworkIn
  --start-time 2016-10-04T13:16:22
  --end-time 2016-10-11T13:16:22
  --period 3600
  --namespace AWS/EC2
  --statistics Average
  --dimensions Name=InstanceId,Value=i-01234abcd1234abcd

06 The command output should return the incoming network traffic data requested: 

{
	"Datapoints": [
		{
			"Timestamp": "2016-10-04T13:16:22Z",
			"Average": 220.0,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-04T14:16:22Z",
			"Average": 145.0,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-04T15:16:22Z",
			"Average": 292.0,
			"Unit": "Bytes"
		},

		...

		{
			"Timestamp": "2016-10-11T10:16:22Z",
			"Average": 151.0,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-11T11:16:22Z",
			"Average": 430.0,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-11T12:16:22Z",
			"Average": 2330.777777777778,
			"Unit": "Bytes"
		}
	],
	"Label": "NetworkIn"
}

If the average incoming traffic values returned by the get-metric-statistics command output are less than 5 MB, the selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.

07 Run get-metric-statistics command (OSX/Linux/UNIX) to get the utilization data recorded by Amazon CloudWatch for the NetworkOut metric, representing the outgoing network traffic for the selected Amazon EC2 instance. The following command example returns the average outgoing network traffic sent from an Amazon EC2 instance identified by the ID i-01234abcd1234abcd, usage data captured over a period of 7 days (set by the --start-time and --end-time command parameters), using 1-hour period as the granularity for the returned datapoints (set by the --period parameter): 

aws cloudwatch get-metric-statistics
  --region us-east-1
  --metric-name NetworkOut
  --start-time 2016-10-04T13:16:58
  --end-time 2016-10-11T13:16:58
  --period 3600
  --namespace AWS/EC2
  --statistics Average
  --dimensions Name=InstanceId,Value=i-01234abcd1234abcd

08 The command output should return the outgoing network traffic data requested: 

{
	"Datapoints": [
		{
			"Timestamp": "2016-10-04T13:16:58Z",
			"Average": 148.65,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-04T14:16:58Z",
			"Average": 91.63333333333334,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-04T15:16:58Z",
			"Average": 214.96666666666667,
			"Unit": "Bytes"
		},

		...

		{
			"Timestamp": "2016-10-11T10:16:58Z",
			"Average": 96.83333333333333,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-11T11:16:58Z",
			"Average": 325.96666666666664,
			"Unit": "Bytes"
		},
		{
			"Timestamp": "2016-10-11T13:12:58Z",
			"Average": 2656.488888888889,
			"Unit": "Bytes"
		}
	],
	"Label": "NetworkOut"
}

If the average outgoing traffic values returned are less than 5 MB, the selected Amazon EC2 instance qualifies as candidate for the idle EC2 instance.

09 Run describe-tags command (OSX/Linux/UNIX) to describe the tag sets defined for the selected Amazon EC2 instance: 

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=resource-id,Values=i-01234abcd1234abcd"

10 The command output should return the tags (key-value pairs) applied to the specified EC2 instance. The Roleand Ownertags returned and their values (highlighted) can be used to determine the EC2 resource role within your application stack and to contact its owner for more information in order to decide whether the selected Amazon EC2 instance can be stopped or terminated: 

{
	"Tags": [
		{
			"ResourceType": "instance",
			"ResourceId": "i-01234abcd1234abcd",
			"Value": "ops@cloudconformity.com",
			"Key": "Owner"
		},
		{
			"ResourceType": "instance",
			"ResourceId": "i-01234abcd1234abcd",
			"Value": "legacy-webapp-ver-1.5",
			"Key": "Name"
		},
		{
			"ResourceType": "instance",
			"ResourceId": "i-01234abcd1234abcd",
			"Value": "legacy-webapp-test-server",
			"Key": "Role"
		}
	]
}

11 If the data returned for the steps no. 3 – 10 satisfy all the conditions required by the conformity rule (i.e. instance role, owner, CPU, and network usage), the selected Amazon EC2 instance is considered "idle" and can be stopped or terminated in order to stop incurring charges for that resource.

12 Repeat steps no. 3 – 11 for each Amazon EC2 instance available in the selected AWS region.

13 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the audit process for other regions.

Remediation / Resolution

Option 1: Stop or terminate your idle Amazon EC2 instances. To stop/terminate any idle Amazon EC2 instances available within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the idle Amazon EC2 instance that you want to stop or terminate.

05 Based on the chosen decommissioning strategy, perform one of the following sets of instructions:

  1. To stop an idle Amazon EC2 instance:
    • Click on the Instance state dropdown button from the console top menu and select Stop instance.
    • In the Stop instance? confirmation box, review the instance details, then choose Stop.
  2. To terminate an idle Amazon EC2 instance:
    • Click on the Instance state dropdown button from the console top menu and select Terminate instance.
    • In the Terminate instance? confirmation box, review the instance details, then choose Terminate.

06 Repeat steps no. 4 and 5 for each idle Amazon EC2 instance that you want to stop/terminate, available within the current AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Based on the chosen decommissioning strategy, perform one of the following sets of commands:

  1. To stop an idle Amazon EC2 instance, run stop-instances command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to stop as the identifier parameter: 
    aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  2. The output should return the stop-instances command request metadata: 
    {
	"StoppingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 64,
				"Name": "stopping"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}
  3. To terminate an idle Amazon EC2 instance, run terminate-instances command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to shut down as the identifier parameter: 
    aws ec2 terminate-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  4. The output should return the terminate-instances command request metadata: 
    {
	"TerminatingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 32,
				"Name": "shutting-down"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

02 Repeat step no. 1 for each idle Amazon EC2 instance that you want to stop/terminate, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Option 2: Downsize (resize) your idle Amazon EC2 instances. If an EC2 instance can't be stopped or terminated because the EC2 resource plays an important role within your application stack, you can change the instance type for your idle Amazon EC2 instance by performing the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the idle Amazon EC2 instance that you want to reconfigure.

05 Click on the Instance state dropdown button from the console top menu and select Stop instance.

06 In the Stop instance? confirmation box, review the instance details, then choose Stop.

07 Once the instance is stopped (i.e. Instance State is set to stopped), click on the Actions dropdown button from the console top menu, select Instance settings, and choose Change instance type.

08 On the Change instance type configuration page, select the appropriate instance type from the Instance type dropdown list, and choose Apply to resize the selected Amazon EC2 instance.

09 Click on the Instance state dropdown button from the console top menu and select Start instance. Once the boot sequence is complete, the EC2 instance status should change from Pending to Running.

10 Repeat steps no. 4 – 9 for each idle Amazon EC2 instance that you want to downsize, available within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) to stop the idle Amazon EC2 instance that you want to reconfigure: 

aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

02 The output should return the stop-instances command request metadata: 

{
	"StoppingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 64,
				"Name": "stopping"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

03 Run modify-instance-attribute command (OSX/Linux/UNIX) to change the instance type for your idle Amazon EC2 instance. The following command example changes the instance type for an idle EC2 instance, identified by the ID i-01234abcd1234abcd, from c5.2xlarge to t2.medium (the command does not produce an output): 

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --instance-type "{\"Value\": \"t2.medium\"}"

04 Run start-instances command (OSX/Linux/UNIX) to restart the reconfigured Amazon EC2 instance (it may take few minutes until the instance enters the running state): 

aws ec2 start-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

05 The output should return the start-instances command request metadata: 

{
	"StartingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 0,
				"Name": "pending"
			},
			"PreviousState": {
				"Code": 80,
				"Name": "stopped"
			}
		}
	]
}

06 Repeat steps no. 1 – 5 for each idle Amazon EC2 instance that you want to downsize, available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Option 3: Disable the conformity rule check. If your idle Amazon EC2 instance is an important component of your application stack, you should turn off the conformity rule check for the specified Amazon EC2 instance from the Trend Micro Cloud One™ – Conformity console.

References

Publication date Oct 13, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Idle EC2 Instance

Risk Level: High