Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused RDS Reserved Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-020

Ensure that all your AWS RDS Reserved Instances (RI) have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization (if any). A corresponding database instance is a running RDS instance that matches the reservation parameters such as Region and Instance Type.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Cost
optimisation

When an AWS RDS Reserved Instance is not in use (i.e. does not have an active corresponding instance) the investment made is not exploited. For example, if you reserve a db.m3.medium RDS instance within US West (Oregon) region and you don't provision a database instance with the same class/type, in the same region of the same AWS account or in any other linked AWS accounts within your AWS Organization, the specified RDS RI is considered unused and your investment has a negative return.

Audit

To determine if you have any unused RDS Reserved Instances within your AWS account or your AWS Organization, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Reserved Purchases.

04 Choose the active RDS Reserved Instance (RI) that you want to examine.

05 Click Show or Hide Item Details button:

Show or Hide Item Details button

to expand the details panel and copy the DB Instance Class attribute value (i.e. the instance type used for reservation).

06 Within the same AWS region, in the navigation panel, under RDS Dashboard, click Instances.

07 On the RDS dashboard, click inside the search box located under the dashboard top menu, paste the RDS instance class/type value copied at step no. 5 and press Enter. This filtering method will help you to determine if there are any RDS database instance that match the selected RI criteria, available in the current AWS region. If the search results are not returning any database instances that match the reservation class/type parameter, the selected Reserved Instance does not have a corresponding instance running within the current region, therefore the purchased RDS RI is not being used.

08 If you are using Consolidated Billing and the current AWS account is member of an AWS Organization, access the RDS Instances page on each linked account, under the same region, and repeat step no. 7 to check for any corresponding RDS database instances.

09 Repeat steps no. 4 - 8 for other RDS Reserved Instances (RIs) available in the current region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-reserved-db-instances command (OSX/Linux/UNIX) using custom query filters to list the identifiers (IDs) of all active RDS Reserved Instances, available in the selected AWS region: 

aws rds describe-reserved-db-instances
	--region us-west-1
	--output table
	--query 'ReservedDBInstances[*].ReservedDBInstanceId'

02 The command output should return a table with the requested RDS RI identifiers: 

----------------------------
|   ReservedDBInstanceId   |
+--------------------------+
|  RDSMySQL1yReservation   |
|  MyDatabase3yReservation |
+--------------------------+

03 Run again describe-reserved-db-instances command (OSX/Linux/UNIX) using your RDS RI instance identifier returned at the previous step and necessary filtering to expose the instance class (instance type) for the selected RDS Reserved Instance: 

aws rds describe-reserved-db-instances
	--region us-west-1
	--reserved-db-instance-id RDSMySQL1yReservation
	--query 'ReservedDBInstances[*].DBInstanceClass'

04 The command output should return an array with the requested reservation instance class/type: 

[
   "db.m3.medium"
]

05 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the instance class/type for each RDS database instance provisioned in the selected AWS region: 

aws rds describe-db-instances
	--region us-west-1
	--output table
	--query 'DBInstances[*].DBInstanceClass'

06 The command output should return a table with the requested RDS instance types: 

---------------------
|  DBInstanceClass  |
+-------------------+
|   db.t2.medium    |
|   db.m4.large     |
|   db.m4.large     |
+-------------------+

If the command output does not return the instance class name that match the reservation class/type returned at step no. 4, the selected Reserved Instance does not have a corresponding database instance running within the current region, therefore the purchased Amazon RDS RI is not currently utilized.

07 If you have an active AWS Consolidated Billing implementation and the current AWS account is member of an AWS Organization, repeat step no. 5 and 6 to check for the corresponding RDS database instance within other AWS accounts, members of your AWS Organization.

08 Repeat steps no. 3 - 7 for other RDS DB Reserved Instances available within the selected region.

09 Change the AWS region by updating the --region command parameter value and perform the entire audit process for other regions.

Remediation / Resolution

Because AWS RDS Standard Reserved are reserved for you at purchase, you cannot modify, cancel or sell these reservations and you will be billed for these resources regardless of whether you use them. To make use of your investment, you can provision and utilize a corresponding RDS DB instance for each unused RDS Reserved Instance purchased within the current AWS account or within any other member accounts available in your AWS Organization (if you are using one). To launch RDS DB instances that match the RIs purchase criteria, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Instances.

04 Click the Launch DB Instance button from the RDS dashboard top menu to initiate the database instance provisioning process.

05 On Step 1: Select Engine page, choose the database engine (e.g. MySQL) required by your application and click Select button to select the necessary DB engine and continue the process.

06 On Step 2: Production page, choose whether the new DB instance should be deployed within a production-ready environment or within a development/testing one. After you select the right option, click Next Step to continue.

07 On Step 3: Specify DB Details page, within the Instance Specifications section, select the required instance class/type from the DB Instance Class dropdown list, e.g.

DB Instance Class

(see Audit section part I, step no. 5 to identify the right instance type) and configure any other database options available on this page based on your application requirements. Click Next Step to continue the setup process.

08 On Step 4: Configure Advanced Settings page, configure the instance network, security, backup and monitoring settings based on your requirements then click Launch DB Instance to launch your new AWS RDS database instance that match the selected RI criteria.

09 Repeat steps no. 4 – 8 to provision corresponding RDS DB instances for other Amazon RDS Reserved Instances purchased in the current AWS region and account or within any other member accounts available in your AWS Organization (if you are using one).

10 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 First, create the required security group for the corresponding RDS DB instance that will be launched later:

  1. Run create-security-group command (OSX/Linux/UNIX) to set up the new DB security group. The following command example creates a security group called DBInstanceSG inside the VPC identified with the ID vpc-c06e9327, within the us-west-1 region: 
    aws ec2 create-security-group
	--region us-west-1
	--group-name DBInstanceSG
	--description "MySQL DB Instance Security Group"
	--vpc-id vpc-c06e9327
  2. The command output should return the new security group ID: 
    {
    "GroupId": "sg-ba75d459"
}
  3. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add one or more inbound rules to the security group created at the previous step (no command output is returned): 
    aws ec2 authorize-security-group-ingress
	--region us-west-1
	--group-id sg-ba75d459
	--protocol tcp
	--port 3306
	--cidr 0.0.0.0/0

02 Run create-db-instance command (OSX/Linux/UNIX) to launch a corresponding RDS DB instance that matches the existing RI purchase criteria. The following command example creates a db.m3.medium MySQL database instance named MySQLTestDBInstance within the US West (Oregon) AWS region: 

aws rds create-db-instance
	--region us-west-1
	--db-instance-identifier MySQLTestDBInstance
	--allocated-storage 30
	--db-instance-class db.m3.medium
	--engine mysql
	--master-username awsdbname
	--master-user-password awsdbpwd
	--db-security-groups sg-ba75d459
	--port 3306
	--no-multi-az

03 The command output should return the new RDS DB instance configuration metadata: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MasterUsername": "awsdbname",
        "Engine": "mysql",
        "MultiAZ": false,
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-ba75d459"
            }
        ],
        "OptionGroupMemberships": [
            {
                "Status": "in-sync",
                "OptionGroupName": "default:mysql-5-6"
            }
        ],

        ...

        "CopyTagsToSnapshot": false,
        "ReadReplicaDBInstanceIdentifiers": [],
        "AllocatedStorage": 30,
        "BackupRetentionPeriod": 1,
        "PreferredMaintenanceWindow": "thu:10:08-thu:10:38",
        "DBInstanceStatus": "creating",
        "EngineVersion": "5.6.27",
        "DomainMemberships": [],
        "StorageType": "standard",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 3306,
        "DBInstanceIdentifier": "mysqltestdbinstance"
    }
}

04 Repeat steps no. 1 – 3 to provision corresponding RDS DB instances for other Amazon RDS Reserved Instances purchased in the current AWS region/account or within any other member accounts available in your AWS Organization (if applicable).

05 Change the AWS region by updating the --region command parameter value and perform the entire process for other regions.

References

Publication date Mar 7, 2017

Related RDS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused RDS Reserved Instances

Risk Level: High