Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Generation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-029

Ensure that all your Amazon EC2 instances are using the latest generation of instance types in order to get the best performance with lower costs.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency
Cost
optimisation

Using the current (latest) generation of EC2 instance types instead of the previous generation has multiple advantages such as better hardware performance (faster CPUs, increased memory and network throughput), better virtualization technology (HVM), and lower costs.


Audit

To determine if there are any Amazon EC2 instances from the previous generation running within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 In the Instance summary section, check the Instance type configuration attribute value to determine if the instance type is from the previous generation. If the instance type is from the previous generation, the instance type configured for the selected Amazon EC2 instance should be upgraded to the latest generation.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom filtering to describe the instance type used by the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].InstanceType[]'

04 The command output should return the instance type configured for the selected instance:

[
    "c3.large"
]

Compare the instance type returned by the describe-instances command output with the instance types from the previous generation. If the instance type is from the previous generation, the instance type configured for the selected Amazon EC2 instance should be upgraded to the latest generation.

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To upgrade your previous generation Amazon EC2 instances to their latest generation equivalents, perform the following operations:

IMPORTANT: The following procedure assumes that the Amazon EC2 instances selected for reconfiguration (upgrade) are NOT currently used in production or for critical operations.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Change EC2 instance type (new generation type)",
    "Resources":{
        "NewGenerationInstance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "InstanceType":"c5.large",
            "ImageId":"ami-0abcd1234abcd1234",
            "KeyName":"ssh-key",
            "SubnetId":"subnet-1234abcd",
            "SecurityGroupIds":[ "sg-01234abcd1234abcd"],
            "BlockDeviceMappings":[
                {
                    "DeviceName":"/dev/xvda",
                    "Ebs":{
                        "VolumeSize":"30",
                        "VolumeType":"gp2"
                    }
                }
            ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Change EC2 instance type (new generation type)
    Resources:
        NewGenerationInstance:
        Type: AWS::EC2::Instance
        Properties:
            InstanceType: c5.large
            ImageId: ami-0abcd1234abcd1234
            KeyName: ssh-key
            SubnetId: subnet-1234abcd
            SecurityGroupIds:
            - sg-01234abcd1234abcd
            BlockDeviceMappings:
            - DeviceName: "/dev/xvda"
            Ebs:
                VolumeSize: '30'
                VolumeType: gp2

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "new-generation-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "c5.large"

    lifecycle {
        ignore_changes = [ami]
    }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to reconfigure.

05 Click on the Instance state dropdown button from the console top menu and select Stop instance.

06 In the Stop instance? confirmation box, review the instance details, then choose Stop.

07 Once the instance is stopped (i.e. Instance State is set to stopped), click on the Actions dropdown button from the console top menu, select Instance settings, and choose Change instance type.

08 On the Change instance type configuration page, select the equivalent latest generation instance type from the Instance type dropdown list, and choose Apply to resize (upgrade) the selected Amazon EC2 instance. If the equivalent latest generation instance type is not available in the dropdown list, the recommended latest generation instance type is not compatible with your instance configuration (virtualization or network configuration incompatibilities).

09 Click on the Instance state dropdown button from the console top menu and select Start instance. Once the boot sequence is complete, the Amazon EC2 instance status should change from Pending to Running.

10 Repeat steps no. 4 – 9 for each Amazon EC2 instance that you want to upgrade, available within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) to stop the Amazon EC2 instance that you want to reconfigure:

aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

02 The output should return the stop-instances command request metadata:

{
    "StoppingInstances": [
        {
            "InstanceId": "i-01234abcd1234abcd",
            "CurrentState": {
                "Code": 64,
                "Name": "stopping"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

03 Run modify-instance-attribute command (OSX/Linux/UNIX) to change (upgrade) the instance type for your previous generation Amazon EC2 instance. The following command example changes the instance type for an EC2 instance, identified by the ID i-01234abcd1234abcd, from c3.large (previous generation) to c5.large (latest generation). If successful, the modify-instance-attribute command request does not produce an output:

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --instance-type "{\"Value\": \"c5.large\"}"

04 Run start-instances command (OSX/Linux/UNIX) to restart the reconfigured Amazon EC2 instance (it may take few minutes until the instance enters the running state):

aws ec2 start-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

05 The output should return the start-instances command request metadata:

{
    "StartingInstances": [
        {
            "InstanceId": "i-01234abcd1234abcd",
            "CurrentState": {
                "Code": 0,
                "Name": "pending"
            },
            "PreviousState": {
                "Code": 80,
                "Name": "stopped"
            }
        }
    ]
}

06 Repeat steps no. 1 – 5 for each Amazon EC2 instance that you want to upgrade (upsize), available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Apr 20, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Instance Generation

Risk Level: Medium