Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Review Reserved Instance Purchases

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-052

Ensure that all the active Amazon EC2 Reserved Instance (RI) purchases are reviewed every 7 days to make sure that no unwanted RI purchase has been placed recently.

This rule can help you with the following compliance standards:

  • AWAF

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

By checking your Amazon EC2 Reserved Instance purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS cloud account and avoid unexpected charges on your AWS bill.

Note: You can change the default threshold value (7 days) for the review time frame within the conformity rule settings, in your Trend Cloud One™ – Conformity account.

Audit

To identify the Reserved Instance purchases placed recently within your AWS cloud account for review purposes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2.

03 In the left navigation panel, under Instances, choose Reserved Instances.

04 Click inside the Filter by attributes or search by keyword box located under Reserved Instances, choose State, select Equals from Operators, and choose Active to return only the active Amazon EC2 reservation purchases available within the current AWS cloud region.

05 Click inside the Filter by attributes or search by keyword box located under Reserved Instances, choose Start, select Equals from Operators, enter the date (timestamp) required for the review, and press Enter. This filtering technique will return the active Amazon EC2 reservation purchases placed in the last 7 days, within the current AWS cloud region. If no purchases matching your filter criteria are found, there were no Reserved Instance purchases placed in the last week. If one or more purchases matching your filter criteria are returned by the Amazon EC2 console and you are unaware of any these purchases, check your Amazon CloudTrail logs or contact AWS Support Center to resolve the purchase issue for the unwanted reservation.

06 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with predefined and custom query filters to list the IDs of the active Amazon EC2 reservations available in the selected AWS region: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--filters "Name=state,Values=active"
	--output table
	--query 'ReservedInstances[*].ReservedInstancesId'

02 The command output should return the requested reservation identifiers (IDs): 

----------------------------------------
|        ReservedInstancesIds          |
+--------------------------------------+
| abcdabcd-1234-abcd-1234-abcd1234abcd |
| 12341234-abcd-1234-abcd-1234abcd1234 |
----------------------------------------

03 Run describe-reserved-instances command (OSX/Linux/UNIX) with the ID of the active Amazon EC2 reservation that you want to examine as the identifier parameter and custom output filters to describe the date/time at which the Reserved Instance purchase request was placed: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--reserved-instances-ids abcdabcd-1234-abcd-1234-abcd1234abcd
	--query 'ReservedInstances[*].Start'

04 The command output should return the requested reservation information: 

[
	"2025-06-10T10:00:00.000Z"
]

If the date (timestamp) returned by the describe-reserved-instances command output for the selected reservation indicates a recent Reserved Instance purchase request (i.e., a request placed in the last 7 days) and you are unaware of this purchase, check your Amazon CloudTrail logs or contact AWS Support Center to resolve the purchase issue for the unwanted reservation.

05 Repeat steps no. 3 and 4 for each active Reserved Instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Remediation / Resolution

Case A: Check your Amazon CloudTrail logs (if Cloudtrail service is enabled) from the date when the unwanted purchase request was placed to determine the request origin and context. To find and analyze the necessary AWS API logging data, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console available at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the trail that you want to examine, available in the same AWS cloud region as the unwanted Amazon EC2 reservation.

05 In the General details section, click on the trail log file (link), listed under Trail log location.

06 Navigate to the appropriate trail log file location, i.e., <trail-log-bucket>/AWSLogs/<aws-account-id>/CloudTrail/<aws-region>/<year>/<month>/<day> and identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted RI purchase request.

07 Select the Amazon CloudTrail log file that you want to examine and choose Download to download the file to your computer.

08 Extract and open the downloaded log file in your preferred text editor and search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com": for the name of the AWS service used to place the Reserved Instance purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering": for the name of the AWS API action/command used to place the Reserved Instance purchase request.
  3. "eventTime":"\" – for the date/time when the Reserved Instance purchase request was placed.

09 Identify the correct CloudTrail log entry (record) based on the attributes listed in the previous step and verify the "userIdentity" attribute value to determine the origin and context for the selected unwanted purchase request.

10 Repeat steps no. 4 – 9 to verify the request origin and context for other unwanted reservation purchases placed in the selected AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all the CloudTrail trails available within the selected AWS cloud region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail name(s): 

------------------------------
|       DescribeTrails       |
+----------------------------+
|  aws-cloudtrail-log-trail  |
+----------------------------+

03 Run describe-trails command (OSX/Linux/UNIX) with the name of the trail returned at the previous step as the identifier parameter and custom output filters to get the name of the Amazon S3 bucket used to store the log files for the selected trail: 

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list aws-cloudtrail-log-trail
	--query 'trailList[*].S3BucketName'

04 The command output should return the name of the requested S3 bucket: 

[
	"aws-cloudtrail-logs"
]

05 Run list-objects command (OSX/Linux/UNIX) to list the names of all the Amazon S3 objects (i.e., log files) available within the selected S3 bucket: 

aws s3api list-objects
	--region us-east-1
	--bucket aws-cloudtrail-logs
	--query 'Contents[].Key'

06 The command output should return the name of each S3 object available within the selected bucket: 

[
	"AWSLogs/123456789012/CloudTrail/us-east-1/2025/07/09/975050274289_CloudTrail_us-east-1_20250709T1745Z_abcd1234abcd1234.json.gz",
	"AWSLogs/123456789012/CloudTrail/us-east-1/2025/07/09/975050274289_CloudTrail_us-east-1_20250709T1745Z_1234abcd1234abcd.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to download the required Amazon CloudTrail log file from the specified S3 bucket: 

aws s3api get-object
	--region us-east-1
	--bucket aws-cloudtrail-logs
	--key AWSLogs/123456789012/CloudTrail/us-east-1/2025/07/09/975050274289_CloudTrail_us-east-1_20250709T1745Z_abcd1234abcd1234.json.gz

08 The command output should return the get-object command request information: 

{
	"AcceptRanges": "bytes",
	"ContentType": "application/json",
	"LastModified": "Wed, 09 Jun 2025 18:00:00 GMT",
	"ContentLength": 4291,
	"ContentEncoding": "gzip",
	"ETag": "\"abcdabcdabcdabcdabcdabcdabcd\"",
	"ServerSideEncryption": "AES256",
	"Metadata": {}
}

09 Extract and open the CloudTrail log file downloaded in the previous steps in your preferred text editor.

10 Once the CloudTrail log file is opened, search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com": for the name of the AWS service used to place the Reserved Instance purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering": for the name of the AWS API action/command used to place the Reserved Instance purchase request.
  3. "eventTime":"\<request-date/time\>" – for the date/time when the Reserved Instance purchase request was placed.

11 Identify the correct CloudTrail log entry (record) based on the attributes listed in the previous step and verify the "userIdentity" attribute value to determine the origin and context for the selected unwanted purchase request.

12 Repeat steps no. 3 – 11 to verify the request origin and context for other unwanted reservation purchases placed in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Case B: To mitigate unwanted Amazon EC2 reservation purchases, you can contact Amazon Web Services (AWS) and ask for purchase cancellation. To create the necessary case through the AWS Support Center, perform the following operations:

Note: Requesting AWS to cancel your unwanted reservation purchases using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

01 Navigate to AWS Support Center console available at https://console.aws.amazon.com/support/.

01 In the left navigation panel, under Support Center, choose Your support cases.

01 Choose Create case and perform the following actions to create a support case to cancel unwanted RI purchases:

  1. For How can we help?, provide the following information:
    1. Choose Account and billing for the support case type.
    2. For Service, select Account.
    3. For Category, choose Other Account Issues.
    4. For Severity, select General question.
    5. Choose Next step: Additional information.
  2. For Additional information, provide the following information:
    1. Choose your preferred contact language from the Preferred contact language dropdown list.
    2. For Subject, provide the support request subject, such as Cancel unwanted Amazon EC2 Reserved Instance purchases.
    3. For Description, provide the reason why do you need to cancel your recent reservation purchase and explain how and when this unwanted purchase request was placed. This will help the AWS support team to evaluate your request.
    4. Choose Next step: Solve now or contact us.
  3. For Solve now or contact us, select the Contact us tab, and choose a preferred contact method that AWS support team can use to respond to your request.
  4. Choose Submit to send your request to Amazon Web Services (AWS). A customer support representative should contact you shortly.

References

Publication date Mar 14, 2017

Related EC2 rules