Persistent Disks Attached to Suspended Virtual Machines

Risk Level: High (not acceptable risk)

To avoid unexpected charges on your Google Cloud bill, identify any persistent disks attached to suspended virtual machine (VM) instances and remove them if the VMs are no longer needed.

Security

Each persistent disk provisioned in your Google Cloud account is adding charges to your monthly bill regardless of whether it is being used by the associated VM instance. Therefore, any forgotten and unused persistent disk represents a good candidate to reduce your monthly GCP costs and avoid accumulating usage charges.

Audit

To identify any persistent disks attached to suspended virtual machine (VM) instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.

04 In the navigation panel, select Disks to access the list of the persistent disks provisioned for the selected GCP project.

05 Choose the persistent disk that you want to examine and click on the name (link) of the associated VM instance, listed in the In use by column.

06 Select the DETAILS tab and check the Status attribute value listed in the Basic information section. If the Status value is set to Suspending or Suspended, the selected disk is attached to a suspended virtual machine (VM) instance, therefore, the unused disk is adding charges to your GCP bill for provisioned storage.

07 Repeat steps no. 5 and 6 for each persistent disk provisioned within the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-backend-app-project-112233

03 Run compute disks list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and zone for each persistent disk provisioned for the selected project:

gcloud compute disks list 
  --project cc-web-stack-project-123123 
  --format="table(name,zone)"

04 The command output should return the identifier(s) of the disk(s) available within the selected GCP project:

NAME: cc-staging-vm-boot
ZONE: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

NAME: cc-staging-vm-data
ZONE: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

NAME: cc-production-vm-boot
ZONE: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-c

NAME: cc-production-vm-data
ZONE: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-c

05 Run compute disks describe command (Windows/macOS/Linux) using the name and the zone of the persistent disk that you want to examine as the identifier parameter and custom filtering to describe the ID of the VM instance associated with the selected disk:

gcloud compute disks describe cc-staging-vm-boot 
  --zone us-central1-a 
  --format="value(users)"

06 The command output should return the ID of the associated VM instance:

https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-staging-vm-instance

07 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as the identifier parameter, to describe the current status of the VM instance associated with your persistent disk:

gcloud compute instances describe https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-staging-vm-instance 
  --zone us-central1-a 
  --format="value(status)"

08 The command output should return the current state of the VM instance:

SUSPENDED

If the compute instances describe command output returns SUSPENDING or SUSPENDED, as shown in the example above, the selected disk is attached to a suspended virtual machine (VM) instance, therefore, the unused disk is adding charges to your Google Cloud bill.

09 Repeat steps no. 5 - 8 for each persistent disk provisioned for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Option 1: If the suspended VM instance and the attached disk(s) are no longer needed, you can safely remove them from your cloud account to avoid accumulating unnecessary charges. The Remediation process will delete both the selected VM instance and the persistent disk(s) attached to it:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.

04 In the navigation panel, choose VM instances, and select the INSTANCES tab to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

05 Select the VM instance that you want to terminate and choose DELETE.

06 In the confirmation box, choose DELETE to remove the selected VM instance from your GCP project.

07 Repeat steps no. 5 and 6 for each VM instance that you want to delete, available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 To avoid extra charges on your Google Cloud bill, you can remove the suspended instance from your GCP project. To remove the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the VM instance that you want to delete as the identifier parameter, to remove the selected resource from your project:

gcloud compute instances delete https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-staging-vm-instance 
  --zone us-central1-a

02 Press Y and press Enter at the command prompt to confirm the Compute Engine resource removal:

The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.
- [cc-staging-vm-instance] in [us-central1-a]

Do you want to continue (Y/n)?

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-staging-vm-instance].

03 Repeat steps no. 1 and 2 for each VM instance that you want to delete, available in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

Option 2: If the suspended VM instance will be resumed soon, the attached disk(s) cannot be removed, therefore, no action is required.

References

Google Cloud Platform (GCP) Documentation
VM instance lifecycle
Suspend or resume a VM
Stop or restart a VM

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute disks list
gcloud compute disks describe
gcloud compute instances delete

Publication date May 3, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules