EC2 Instances with Unapproved Instance Types

Risk Level: High (not acceptable risk)

Rule ID: EC2-071

Ensure that none of the Amazon EC2 instances provisioned in your AWS cloud account have their instance type banned by your organization. Before running this rule by the Trend Cloud One™ – Conformity engine, the list of unapproved EC2 instance types must be configured in the rule settings, in your Conformity account.

This rule resolution is part of the Conformity solution.

Security

Setting limits for the EC2 instance types used within your organization can help you address internal security compliance and prevent unexpected charges on your AWS bill. Furthermore, banning a small set of EC2 instance types, usually extremely large instance types such as r4.16xlarge or c5d.18xlarge, is much more efficient than having to explicitly permit a large number of allowed instance types.

Audit

To determine if there are Amazon EC2 instances with unapproved instance types available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access EC2 Instances with Unapproved Instance Types conformity rule settings, and copy the instance type(s) banned by your organization.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under Instances, choose Instances.

05 Click inside the Find Instance by attribute or tag (case-sensitive) box located under Instances, choose Instance type, select Equals from Operators, paste the name of the unapproved instance type copied in step no. 1, and press Enter. Repeat this step for each unapproved instance type defined in the conformity rule settings. If the filtering process returns one or more Amazon EC2 instances as result, one or more EC2 instances were launched using unapproved instance types. As a result, you must take action and create a support case to request Amazon Web Services (AWS) to deny creating EC2 instances with banned instance types in the current AWS region.

06 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

02 Run describe-instances command (OSX/Linux/UNIX) with the unapproved instance type copied in the previous step as filtering parameter, to list the ID of each Amazon EC2 instance launched using the specified instance type, available in the selected AWS region. Replace \<banned-instance-type\> with the instance type copied in step no. 1. Run this command for each unapproved instance type defined in the conformity rule settings:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-state-name,Values=running" "Name=instance-type,Values=<banned-instance-type>"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

If the describe-instances command output returns one or more instances IDs as result, as shown in the example above, one or more Amazon EC2 instances were launched using unapproved instance types. As a result, you must take action and create a support case to request Amazon Web Services (AWS) to deny creating EC2 instances with banned instance types in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that no Amazon EC2 instances are launched within your AWS cloud account using unapproved instance types, perform the following operations:

Note: Creating a support case to request instance type restriction using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console available at https://console.aws.amazon.com/support/.

03 In the left navigation panel, under Support Center, choose Your support cases.

04 Choose Create case and perform the following actions to create a support case for instance type restriction:

For How can we help?, provide the following information:
1. Choose Account and billing for the support case type.
2. For Service, select Account.
3. For Category, choose Other Account Issues.
4. For Severity, select General question.
5. Choose Next step: Additional information.
For Additional information, provide the following information:
1. Choose your preferred contact language from the Preferred contact language dropdown list.
2. For Subject, provide the support request subject, such as Deny launch Amazon EC2 instances with specific instance types.
3. For Description, provide a concise description where you list the unapproved instance types and explain why you need to block the provisioning of Amazon EC2 instances with unapproved instance types. This will help the AWS support team to evaluate your request.
4. Choose Next step: Solve now or contact us.
For Solve now or contact us, select the Contact us tab, and choose a preferred contact method that AWS support team can use to respond to your request.
Choose Submit to send your request to Amazon Web Services (AWS). A customer support representative should contact you shortly.

References

AWS Command Line Interface (CLI) Documentation
describe-instances

Publication date Apr 15, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

References

Related EC2 rules