Logo of Trend Micro

EC2 Instance Detailed Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-058

Ensure that detailed monitoring is enabled for your Amazon EC2 instances in order to have enough monitoring data to help you make better decisions on architecting and managing compute resources within your AWS account. By default, whenever an EC2 instance is launched, AWS CloudWatch enables basic monitoring for that instance. The basic monitoring level collects monitoring data in 5 minute periods. To increase this level and make the monitoring data available at 1-minute periods, you must specifically enable it for your instance(s). With detailed monitoring, you can also get aggregated data across groups of similar EC2 instances.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Reliability
Performance
efficiency
Operational
excellence

With detailed monitoring enabled, you would be able manage better your EC2 resources. For example, you would be able to upgrade or downgrade faster the instance type based on its workload, get trends that you might possibly not be able to see with the basic monitoring and create CloudWatch alarms for time periods of 1 minute and take advantage of notifying you earlier on instead of waiting for a 5 minute period.

Note: It is recommended to enable detailed monitoring only for the instances that you need to monitor closely (e.g. critical and production instances), therefore the exceptions can be suppressed on Cloud Conformity dashboard.

Audit

To determine if your AWS EC2 instances have the detailed monitoring feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 Verify the Monitoring attribute value to determine the level of CloudWatch monitoring enabled for the instance. If the attribute value is set to basic, the selected AWS EC2 instance does not have the detailed monitoring feature enabled.

07 Repeat steps no. 4 – 6 to verify the monitoring level for other EC2 instances that you need to monitor closely, provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all active (running) EC2 instances available within the selected region: 

aws ec2 describe-instances
	--region us-east-1
	--filters Name=instance-state-name,Values=running
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01e7ff864132bd9d2  |
|  i-04a5346e07e942b47  |
+-----------------------+

03 Execute again describe-instances command (OSX/Linux/UNIX) using the ID of the instance that you need to monitor closely as identifier and custom filtering to check whether detailed monitoring feature is enabled or not for the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01e7ff864132bd9d2
	--query 'Reservations[*].Instances[*].Monitoring.State[]'

04 The command output should return the feature status (enabled if detailed monitoring is enabled or disabled if the feature is turned off): 

[
    "disabled"
]

If the command output returns "disabled" (as shown in the example above), the detailed monitoring feature is disabled for the selected AWS EC2 instance.

05 Repeat step no. 3 and 4 to verify the monitoring level for other EC2 instances that you need to monitor closely, available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable detailed monitoring for your existing Amazon EC2 instances, perform the following commands:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want monitor closely (see Audit section part I to identify the right resource).

05 Click Actions button from the dashboard top menu, select CloudWatch Monitoring, then click Enable Detailed Monitoring.

06 Inside Enable Detailed Monitoring dialog box, review the action details and click Yes, Enable to confirm the action.

07 Click Close to return to the EC2 dashboard.

08 Repeat steps no. 4 – 7 to increase the monitoring level for other EC2 instances provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run monitor-instances command (OSX/Linux/UNIX) using the instance ID as identifier (see Audit section part II to identify the right resource) to enable detailed monitoring for the selected AWS EC2 instance: 

aws ec2 monitor-instances
	--region us-east-1
	--instance-ids i-01e7ff864132bd9d2

02 The command output should return the metadata of the request sent to enable the feature: 

{
  "InstanceMonitorings": [
      {
          "InstanceId": "i-01e7ff864132bd9d2",
          "Monitoring": {
              "State": "pending"
          }
      }
  ]
}

03 Run describe-instances command (OSX/Linux/UNIX) to verify if the detailed monitoring feature was successfully enabled for the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01e7ff864132bd9d2
	--query 'Reservations[*].Instances[*].Monitoring.State[]'

04 The command output should return the detailed monitoring status for the selected EC2 instance. If the value output returned is "enabled", the feature is currently enabled: 

[
    "enabled"
]

05 Repeat steps no. 1 – 4 to increase the monitoring level to detailed for other EC2 instances provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Sep 18, 2017

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Instance Detailed Monitoring

Risk level: Low