Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for EC2 Instances with Blocklisted Instance Types

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC2-071

Ensure that none of the Amazon EC2 instances provisioned within your AWS cloud account have their instance type banned by your organization. Before running this rule by the Trend Cloud One™ – Conformity engine, the list of unapproved EC2 instance types must be configured in the rule settings, on your Conformity account console.

This rule resolution is part of the Conformity solution.

Security

Setting limits for the EC2 instance types used within your organization can help you address internal security compliance and prevent unexpected charges on your AWS bill. Furthermore, banning a small set of EC2 instance types, usually extremely large instance types such as r4.16xlarge or c5d.18xlarge, is much more efficient than having to explicitly permit a large number of allowed instance types.


Audit

To determine if there are Amazon EC2 instances with unapproved instance types available in your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for EC2 Instances with Unapproved Instance Types conformity rule settings, and copy the instance type(s) banned by your organization.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Instances, choose Instances.

05 Click inside the Filter instances box, select Instance type, paste the name of the unapproved instance type copied at step no. 1, and press Enter. Repeat this step for each unapproved instance type defined in the conformity rule settings. If the filtering process returns one or more EC2 instances as result, one or more Amazon EC2 instances were launched using unapproved instance types, therefore you must take action and create a support case to request Amazon Web Services (AWS) to deny creating EC2 instances with banned instance types in the current AWS cloud region.

06 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for EC2 Instances with Unapproved Instance Types conformity rule settings, and copy the instance type(s) banned by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) using the unapproved instance type copied at the previous step as filtering parameter, to list the ID of each Amazon EC2 instance launched using the specified instance type, available in the selected AWS region. Replace <banned-instance-type> with the instance type copied at step no. 1. Run this command for each unapproved instance type defined in the conformity rule settings:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance-state-name,Values=running" "Name=instance-type,Values=<banned-instance-type>"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

If the describe-instances command output returns one or more instances IDs as result, one or more Amazon EC2 instances were launched using unapproved instance types, therefore you must take action and create a support case to request AWS to deny creating EC2 instances with banned instance types in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To ensure that no Amazon EC2 instances are launched within your AWS cloud account using unapproved instance types, perform the following actions:

Note: Creating a support case to request instance type restrictions using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following operations:

  1. Select Account and billing support option.
  2. Select Account from the Type dropdown list.
  3. Select Other Account Issues from the Category dropdown list.
  4. Provide the request subject in the Subject box, e.g. "Deny launch Amazon EC2 instances with specific instance types".
  5. For Description, provide a concise description where you list the unapproved instance types and explain why you need to block the provisioning of Amazon EC2 instances with unapproved instance types. This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly.

References

Publication date Apr 15, 2019