Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Large Instance Changes Alarm

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CWL-009

Ensure there is an Amazon CloudWatch alarm set up in your AWS account that is triggered each time an EC2 large instance is created. This CloudWatch alarm must fire and send email notifications every time an AWS API call is made to provision a 4xlarge or 8xlarge EC2 instance.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using Amazon CloudWatch alarms to detect EC2 large instance launches will help you manage better your heavy compute resources and avoid any unexpected charges on your AWS bill.

Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.

Audit

To determine if there are any CloudWatch alarms set up to monitor AWS EC2 4xlarge/8xlarge instances status changes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel select Alarms.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon:

Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon

then select the Metric Name checkbox.

05 In the Metric Name column, verify each alarm available for the EC2LargeInstanceEventCount metric parameter name. If the EC2LargeInstanceEventCount metric is not used by any of your existing alarms, the provisioning process for AWS EC2 4xlarge/8xlarge instances is not monitored using Amazon CloudWatch.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-alarms-for-metric command (OSX/Linux/UNIX) to list all AWS CloudWatch alarms that are currently associated with the EC2LargeInstanceEventCount metric, available in the selected region: 

aws cloudwatch describe-alarms-for-metric
    --region us-east-1
    --metric-name EC2InstanceEventCount
    --namespace CloudTrailMetrics

02The command output should return an array with the requested CloudWatch alarm(s) metadata: 

{
    "MetricAlarms": []
}

If the command output returns an empty array as the value for the MetricAlarms property (as shown in the example above), there are no CloudWatch alarms currently set to monitor AWS EC2 4xlarge/8xlarge instances provisioning process.

03 Perform step no. 1 and 2 to repeat the audit process for other AWS regions.

Remediation / Resolution

Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notifications whenever the appropriate Amazon CloudWatch alarm is triggered.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN):

Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the CloudWatch alarm notifications then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever your AWS CloudWatch alarm is triggered: 

aws sns create-topic
    --name CloudWatchAlarmSNSTopic

02The command output should return the new SNS topic Amazon Resource Name (ARN): 

{
  "TopicArn": "arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic"
}

03Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided): 

aws sns subscribe
    --topic-arn arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
    --protocol email
    --notification-endpoint no-reply@cloudconformity.com

04Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not return an output): 

aws sns confirm-subscription
    --topic-arn arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic
    --token 5f32e92f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da71d8012

Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an AWS EC2 4xlarge or 8xlarge instance is created.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, select Logs.

04 Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.

05 On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: { ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }. This pattern will be used for scanning the AWS CloudTrail logs for any “RunInstances” event name entries that match the required instance type.

06 Review the metric filter config details then click Assign Metric.

07 On the Create Metric Filter and Assign a Metric page, perform the following:

  1. In the Filter Name box, enter a unique name for the new filter, e.g. LaunchEC2LargeInstances.
  2. In the Metric Namespace box, type CloudTrailMetrics.
  3. In the Metric Name box, type EC2LargeInstanceEventCount for the metric identifier.
  4. Click Show advanced metric settings to slide down the advanced settings section.
  5. In the Metric Value box, enter 1.

08 Review the details then click Create Filter to generate your new CloudWatch Logs metric filter.

09 On the current page click Create Alarm: .

Create Alarm

10 In the Create Alarm dialog box, provide the following information:

  1. Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
  2. Under Whenever: <Metric Name>, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value in the box next to the dropdown list to trigger the alarm every time an EC2 4xlarge or 8xlarge instance is provisioned in your AWS account.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 1 from Send notification to.
  4. In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
  5. Review the CloudWatch alarm configuration details then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the necessary CloudWatch metric filter and associate it with your appropriate Amazon CloudTrail log group (the command does not return an output):

aws logs put-metric-filter
    --region us-east-1
    --log-group-name CloudTrail/CloudWatchLogGroup
    --filter-name LaunchEC2LargeInstance
    --filter-pattern '{ ($.eventName = RunInstances) && (($.requestParameters.instanceType = *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }'
    --metric-transformations metricName=EC2LargeInstanceEventCount,metricNamespace=CloudTrailMetrics,metricValue=1

02 Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that will fire whenever an EC2 4xlarge/8xlarge instance is launched within your AWS account (the command does not return an output):

aws cloudwatch put-metric-alarm
    --region us-east-1
    --alarm-name EC2LargeInstanceLaunchAlarm
    --alarm-description "Triggered by large EC2 instances launch events."
    --metric-name EC2LargeInstanceEventCount
    --namespace CloudTrailMetrics
    --statistic Sum
    --comparison-operator GreaterThanOrEqualToThreshold
    --evaluation-periods 1
    --period 300
    --threshold 1
    --actions-enabled
    --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmSNSTopic

References

Publication date Sep 16, 2016

Related CloudWatchLogs rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Large Instance Changes Alarm

Risk Level: Medium