EC2 Instance Detailed Monitoring

Risk Level: Low (generally tolerable level of risk)

Rule ID: EC2-058

Ensure that detailed monitoring is enabled for your Amazon EC2 instances in order to have enough monitoring data to help you make better decisions on architecting and managing compute resources within your AWS cloud account. By default, whenever an EC2 instance is launched, AWS CloudWatch enables basic monitoring for that instance. The basic monitoring level collects monitoring data in 5-minute periods. To increase this level and make the monitoring data available at 1-minute periods or less, you must specifically enable detailed monitoring for your instance(s). With detailed monitoring, you can also get aggregated data across groups of similar instances.

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Performance
efficiency

Operational
excellence

Sustainability

With detailed monitoring enabled, you would be able to manage better your Amazon EC2 resources. For example, you could upgrade or downgrade faster the instance type based on its workload, get trends that you might not be able to see with the basic monitoring tools, and create AWS CloudWatch alarms for time periods of 1 minute and take advantage of notifying you earlier for any EC2 instance issues.

Note: It's recommended to enable detailed monitoring only for the EC2 instances that you need to monitor closely (e.g. critical and production instances), therefore the exceptions can be suppressed on the Trend Micro Cloud One™ – Conformity console.

Audit

To determine if detailed monitoring is enabled for your Amazon EC2 instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 In the Instance details section, check the Monitoring configuration attribute value. If the configuration attribute value is set to disabled, the selected Amazon EC2 instance is not configured with detailed monitoring.

07 Repeat steps no. 4 – 6 to check the Detailed Monitoring feature status for other Amazon EC2 instances available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances running within the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --filters Name=instance-state-name,Values=running
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the Detailed Monitoring feature status available for the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].Monitoring.State[]'

04 The command output should return the requested feature status (enabled if detailed monitoring is enabled or disabled if the feature is turned off):

[
    "disabled"
]

If the describe-instances command output returns "disabled", as shown in the example above, the selected Amazon EC2 instance is not configured with detailed monitoring.

05 Repeat step no. 3 and 4 to verify the Detailed Monitoring feature status for other Amazon EC2 instances available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To enable Detailed Monitoring for your existing Amazon EC2 instances, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Detailed Monitoring for EC2 Instances",
    "Resources": {
        "AWSEC2Instance": {
            "Type": "AWS::EC2::Instance",
            "Properties": {
                "ImageId": "ami-0abcd1234abcd1234",
                "InstanceType": "t3.micro",
                "KeyName": "ssh-key",
                "SubnetId": "subnet-abcd1234",
                "SecurityGroupIds": [
                    "sg-01234abcd1234abcd"
                ],
                "Monitoring": true
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Enable Detailed Monitoring for EC2 Instances
    Resources:
        AWSEC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName: ssh-key
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - sg-01234abcd1234abcd
            Monitoring: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "aws-ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

    # Enable Detailed Monitoring
    monitoring = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to reconfigure (see Audit section part I to identify the right EC2 resource).

05 Click on the Actions dropdown button from the console top menu, choose Monitor and troubleshoot, and select Manage detailed monitoring.

06 On the Detailed monitoring configuration page, select the Enable checkbox available under Detailed monitoring to enable the feature. Choose Save to apply the changes. After you enable Detailed Monitoring, the Amazon EC2 console displays monitoring graphs with a 1-minute period for the selected instance. For the Amazon EC2 instances where you've enabled Detailed Monitoring, you can also get aggregated data across groups of similar instances. Enabling Detailed Monitoring on an EC2 instance does not affect the monitoring of the EBS volumes attached to that instance.

07 Repeat steps no. 4 – 6 to increase the monitoring level for other Amazon EC2 instances provisioned within the current AWS region, by enabling the Detailed Monitoring feature.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run monitor-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right resource), to enable Detailed Monitoring for the selected EC2 instance:

aws ec2 monitor-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd

02 The output should return the monitor-instances command request metadata:

{
    "InstanceMonitorings": [
        {
            "InstanceId": "i-01234abcd1234abcd",
            "Monitoring": {
                "State": "pending"
            }
        }
    ]
}

03 Run describe-instances command (OSX/Linux/UNIX) to verify if the Detailed Monitoring feature was successfully enabled for the selected Amazon EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[*].Monitoring.State[]'

04 The command output should return the current feature state. If the state returned by the describe-instances command output is "enabled", the feature was successfully enabled:

[
    "enabled"
]

05 Repeat steps no. 1 – 4 to increase the monitoring level for other Amazon EC2 instances launched in the selected AWS region, by enabling the Detailed Monitoring feature.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Documentation
Monitoring Amazon EC2
Monitoring Your Instances Using CloudWatch
Enable or Turn Off Detailed Monitoring for Your Instances

AWS Command Line Interface (CLI) Documentation
ec2
describe-instances
monitor-instances

CloudFormation Documentation
Amazon Elastic Compute Cloud resource type reference

Terraform Documentation
AWS Provider

Publication date Sep 18, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

EC2 Instance Detailed Monitoring

Risk Level: Low

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EC2 rules