Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused AMI

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-026

Find any unused Amazon Machine Images available in your AWS account and remove them in order to lower the cost of your monthly AWS bill. The AMI removal/cleanup process consists of two steps: 1) deregister the unused image and 2) delete the snapshot associated with it.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

The AMIs created in your AWS cloud account are adding charges to your AWS bill, regardless whether these are being used or not. Many AWS customers will deregister their images but forget to delete the AMIs snapshots, therefore these will continue to incur storage costs. Trend Micro Cloud One™ – Conformity recommends implementing the two-step cleanup process shown in the Remediation section in order to avoid any unexpected charges on your AWS bill.


Audit

To identify unused Amazon Machine Images (AMIs) within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to examine.

05 Select the Details tab from the console bottom panel and copy the AMI ID attribute value.

06 In the navigation panel, under Instances, choose Instances.

07 Click inside the Filter instances box located under the console top menu, choose Image ID, paste the AMI ID copied at step no. 5, then press Enter. If the filtering process returns one or more Amazon EC2 instances as result, the selected image is currently in use. If the filtering process does not return any EC2 instances, the selected Amazon Machine Image (AMI) is not used anymore and can be safely removed from your AWS cloud account.

08 Repeat steps no. 4 – 7 for each AMI available within the current AWS cloud region.

09 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon Machine Image available in the selected AWS cloud region:

aws ec2 describe-images
  --region us-east-1
  --owners self
  --output table
  --query 'Images[*].ImageId'

02 The command output should return the requested resource identifiers (IDs):

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-01234abcd1234abcd  |
|  ami-0abcd1234abcd1234  |
|  ami-0abcdabcdabcdabcd  |
+-------------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon Machine Image (AMI) that you want to examine as the identifier parameter, to return the metadata of the Amazon EC2 instance(s) launched from the selected AMI:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=image-id,Values=ami-01234abcd1234abcd"
  --query 'Reservations'

04 The command output should return the configuration metadata for each Amazon EC2 instance that match the filter criteria:

[]

If the describe-instances command output returns an empty array (i.e. []), as shown in the output example above, the selected Amazon Machine Image (AMI) is not used anymore and can be safely removed from your AWS cloud account.

05 Repeat steps no. 3 and 4 for each AMI available in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To remove the unused Amazon Machine Images (AMIs) from your AWS account, you have to deregister the required images and delete the associated snapshots. To run the removal process, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the unused Amazon Machine Image (AMI) that you want to remove.

05 Select the Details tab from the console bottom panel and copy the ID of the associated EBS snapshot listed as value for the Block Devicesattribute (e.g. snap-01234123412341234).

06 Click on the Actions dropdown button from the console top menu and select Deregister.

07 In the Deregister confirmation box, review the image details, then choose Continue to submit the request.

08 In the navigation panel, under Elastic Block Store, choose Snapshots.

09 Click inside the Filter by tags and attributes or search by keyword box, select Snapshot ID, paste the ID copied at step no. 5, and press Enter.

10 Select the Amazon EBS snapshot returned as result, click on the Actions dropdown button from the console top menu, and select Delete

11 In the Delete Snapshot confirmation box, review the EBS snapshot details, then choose Yes, Delete to remove the resource from your AWS account.

12 Repeat steps no. 4 – 11 to delete other unused AMIs available within the current AWS region.

13 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to describe the ID of the Amazon EBS snapshot associated with the unused Amazon Machine Image (AMI) that you want to delete:

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-01234abcd1234abcd
  --query 'Images[*].BlockDeviceMappings[*].Ebs.SnapshotId'

02 The command output should return the ID of the associated Amazon EBS snapshot:

[
	"snap-01234123412341234"
]

03 Run deregister-image command (OSX/Linux/UNIX) to deregister the unused Amazon Machine Image (AMI) that you want to remove from your AWS cloud account (if successful, the command does not produce an output):

aws ec2 deregister-image
  --region us-east-1
  --image-id ami-01234abcd1234abcd

04 Run delete-snapshot command (OSX/Linux/UNIX) using the snapshot ID returned at step no. 2 as the identifier parameter, to complete the resource removal process by deleting the Amazon EBS snapshot associated with the selected AMI (the command does not produce an output):

aws ec2 delete-snapshot
  --region us-east-1
  --snapshot-id snap-01234123412341234

05 Repeat steps no. 1 – 4 to delete other unused AMIs available in the selected AWS region.

06 Change the AWS cloud region by updating the--regioncommand parameter value and repeat the remediation process for other regions.

References

Publication date Jun 7, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused AMI

Risk Level: Low