Logo of Trend Micro

Underutilized EC2 Instance

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: EC2-055

Identify any Amazon EC2 instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill. By default, an EC2 instance is considered "underutilized" when matches the following criteria (to declare the instance "underutilized" both conditions must be met):

  • The average CPU utilization has been less than 60% for the last 7 days.
  • The average memory utilization has been less than 60% for the last 7 days. By default, AWS CloudWatch can`t record an EC2 instance memory utilization because the necessary metric cannot be implemented at the hypervisor level, therefore to be able to report the memory utilization using CloudWatch you need to install an agent (script) on the instance that you want to monitor and create a custom metric (we`ll name it EC2MemoryUtilization) on the AWS CloudWatch dashboard. The instructions required for installing the monitoring agent, based on the Operating System used by the instance, are available at this URL.

Note: You can change the default threshold values for this rule on the Cloud Conformity console and set your own values for the CPU (percent) and memory utilization (percent) for each condition to configure a custom underuse level for your EC2 instances. You can also change the default name for the memory utilization metric (i.e. EC2MemoryUtilization) and use a custom name for this metric. The console also provides information about each EC2 instance marked as underutilized, details such as region, ID, instance type, launch time, operating system and more in order to help you perform the EC2 right-sizing analysis.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

Downsizing underutilized EC2 instances to meet the capacity needs at the lowest cost represents an efficient strategy to reduce your monthly AWS costs. For example, resizing a c4.xlarge-type EC2 instance provisioned in the US-East (N. Virginia) region to a c4.large-type instance due to CPU and memory underuse, you can roughly save $72 per month (as of March 2017).

Audit

To identify any underused EC2 instances provisioned within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Monitoring tab from the dashboard bottom panel.

06 Within the CloudWatch metrics section, perform the following actions:

  1. Click on the CPU Utilization (Percent) usage graph thumbnail to open the instance CPU usage details box. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:
    • From the Statistic dropdown list, select Average.
    • From the Time Range list, select Last 1 Week.
    • From the Period dropdown list, select 1 Hour.
  2. Once the monitoring data is loaded, verify the instance CPU usage for the last 7 days. If the average usage (percent) has been less than 60%, e.g. Cloudwatch Monitoring Details, the selected EC2 instance qualifies as candidate for the underused instance. Click X (close) to return to the dashboard.

07 Now determine the EC2 instance memory utilization by reading the EC2MemoryUtilization metric data reported by the CloudWatch agent (Perl script) installed on the selected EC2 instance (this rule assumes that the script has been successfully installed and it has returned memory usage data in the past 7 days). To verify the instance memory usage reported by the custom CloudWatch metric, perform the following actions:

  1. Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.
  2. In the navigation panel, select Metrics to access your existing Cloudwatch metrics.
  3. Choose All metrics tab from the dashboard bottom panel, click Linux System then select InstanceId to list any custom metrics installed on your EC2 instances.
  4. Select the right EC2 instance from the list (see Audit section part I, step no. 4), click the Action dropdown button from the dashboard top-right menu then choose Add to dashboard option.
  5. On Add to dashboard dialog box, perform the following:
    • Under Select a dashboard, click Create new button and provide a unique name for the new dashboard inside the Dashboard name box.
    • Within Select a widget type section, choose Number.
    • Review the settings then click Add to dashboard to create the required Cloudwatch dashboard and redirect to Dashboards page.
  6. Click the Custom dropdown button from the dashboard top-right menu, select Relative then choose the 1 Weeks option to return the data recorded in the past week.
  7. Once the monitoring data is available within the widget, verify the instance memory usage for the last 7 days. If the average usage (percent) has been less than 60%, e.g. If the average usage (percent) has been less than 60%, the selected EC2 instance qualifies as candidate for the underused instance.

    8. If the rule conditions are met, based on the usage data outlined at step no. 6 and 7, the selected AWS EC2 instance is considered "underutilized" and can be safely downsized in order to stop incurring charges for the EC2 compute resources that you don’t use.

08 Repeat steps no. 4 – 7 to verify the CPU and memory usage data available in the last 7 days for the rest of the EC2 instances provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using necessary filtering to list the IDs of all active (running) EC2 instances provisioned in the selected region: 

aws ec2 describe-instances
	--region us-east-1
	--filters Name=instance-state-name,Values=running
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-05fcff864132bd9c5  |
|  i-03a5346e06d942b47  |
|  i-0bd4dfa00d01f7c19  |
+-----------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the CPUUtilization metric representing the CPU usage of the selected EC2 instance. The following command example returns the average CPU utilization for an EC2 instance identified by the ID i-05fcff864132bd9c5, usage data captured during a 7-day time frame, using a time interval of 1 hour as the granularity for the returned datapoints: 

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name CPUUtilization
	--start-time 2017-03-04T17:21:00
	--end-time 2017-03-11T17:21:00
	--period 3600
	--namespace AWS/EC2
	--statistics Average
	--dimensions Name=InstanceId,Value=i-05fcff864132bd9c5

04 The command output should return the CPU usage details requested: 

{
    "Datapoints": [
        {
            "Timestamp": "2017-03-04T17:21:00Z",
            "Average": 3.2085,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-04T18:21:00Z",
            "Average": 4.033499999999999995,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-04T19:21:00Z",
            "Average": 1.10425,
            "Unit": "Percent"
        },

        ...

        {
            "Timestamp": "2017-03-11T15:21:00Z",
            "Average": 2.030999999999999993,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-11T16:21:00Z",
            "Average": 2.02833333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-11T17:21:00Z",
            "Average": 3.02783333333333333,
            "Unit": "Percent"
        }
    ],
    "Label": "CPUUtilization"
}

If the average CPU usage data returned is less than 60%, the selected EC2 instance qualifies as candidate for the underused instance.

05 Determine the EC2 instance memory usage by querying the EC2MemoryUtilization metric data (or whatever name you have used for your custom metric) reported by the CloudWatch script installed on the selected EC2 instance (this rule assumes that the script has been successfully installed and it has recorded memory usage data within the past 7 days). To verify the instance memory usage reported by your custom CloudWatch metric, run get-metric-statistics command (OSX/Linux/UNIX) using the metric name as identifier. The following command example returns the average memory utilization for an EC2 instance identified by the ID i-05fcff864132bd9c5, from the usage data captured by a CloudWatch metric named EC2MemoryUtilization, during a 7-day time frame, using a time interval of 1 hour as the granularity for the returned datapoints: 

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name EC2MemoryUtilization
	--start-time 2017-03-04T17:25:00
	--end-time 2017-03-11T17:25:00
	--period 3600
	--namespace AWS/EC2
	--statistics Average
	--dimensions Name=InstanceId,Value=i-05fcff864132bd9c5

06 The command output should return the memory usage details requested: 

{
    "Datapoints": [
        {
            "Timestamp": "2017-03-04T17:25:00Z",
            "Average": 5.2085,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-04T18:25:00Z",
            "Average": 6.033499999999999995,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-04T19:25:00Z",
            "Average": 6.10425,
            "Unit": "Percent"
        },

        ...

        {
            "Timestamp": "2017-03-11T15:25:00Z",
            "Average": 9.030999999999999993,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-11T16:25:00Z",
            "Average": 9.02833333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-03-11T17:25:00Z",
            "Average": 9.35783333333333333,
            "Unit": "Percent"
        }
    ],
    "Label": "EC2MemoryUtilization"
}

If the average memory utilization data returned is less than 60%, the selected EC2 instance qualifies as candidate for the underused instance.
If the usage data returned at steps no. 3 - 6 satisfy the conditions set by the conformity rule (i.e. average CPU and memory usage less than 60%), the selected EC2 instance is considered "underutilized" and should be downsized in order to reduce your AWS EC2 usage costs.

07 Repeat steps no. 3 – 6 to verify the required CPU and memory usage data for the rest of the EC2 instances available within the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire audit process for other regions.

Remediation / Resolution

Option 1: Downsize (resize) the underused EC2 instances provisioned within your AWS account. To resize any EC2 instance that is currently running in "underutilized" mode, perform the following commands:

(!) Important note: the following process assumes that the EC2 instances selected for downsize are NOT currently used in production or for critical operations. To resize production instances without any downtime, you should create a snapshot of your current image and launch a new instance from that snapshot using the required instance type.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 Select the underused EC2 instance that you want to resize (see Audit section part I to identify the right resource).

05 Click Actions button from the dashboard top menu, select Instance State, then select Stop.

06 Inside the Stop Instances dialog box, review the action details and click Yes, Stop to confirm the action.

07 Once the instance is stopped (i.e. Instance State set to stopped), use again the Actions button from the dashboard top menu, select Instance Settings, then select Change Instance Type.

08 In the Change Instance Type dialog box, perform the following:

  1. From the Instance Type dropdown list, select the instance type to downsize to (e.g. c4.large – see EC2 Instance Types page available at this URL to help you choose the right instance type).
  2. (Optional) Select EBS-optimized to enable EBS optimization or deselect EBS-optimized to disable EBS optimization. This feature provides dedicated throughput to your AWS EBS volumes for best I/O performance (additional charges apply).
  3. Click Apply to resize the selected instance.

09 Now click Actions button from the dashboard top menu, select Instance State, then select Start.

10 In the Start Instances dialog box, click Yes, Start to restart the instance. Once the booting process is complete, the EC2 instance status should change from pending to running (this may take few minutes).

11 Repeat steps no. 4 - 10 to downsize (resize) any other underutilized EC2 instances provisioned in the current region.

12 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) using the resource ID as identifier to stop the underused EC2 instance that you want to resize (see Audit section part II to identify the right instance): 

aws ec2 stop-instances
	--region us-east-1
	--instance-ids i-05fcff864132bd9c5

02 The command output should return the stop request metadata: 

{
    "StoppingInstances": [
        {
            "InstanceId": "i-05fcff864132bd9c5",
            "CurrentState": {
                "Code": 64,
                "Name": "stopping"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

03 Once the instance is stopped (should take one minute), run modify-instance-attribute command (OSX/Linux/UNIX) to resize the selected EC2 instance to the desired type. The following command example downsize an EC2 instance identified by the ID i-05fcff864132bd9c5 by resizing it from a c4.xlarge-type instance to a c4.large-type instance. If successful, no output is returned: 

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-05fcff864132bd9c5
	--instance-type "{\"Value\": \"c4.large\"}"

04 Run start-instances command (OSX/Linux/UNIX) to restart the EC2 instance resized at the previous step (it may take few minutes until the instance enters the running state): 

aws ec2 start-instances
	--region us-east-1
	--instance-ids i-05fcff864132bd9c5

05 The command output should return the start request information: 

{
    "StartingInstances": [
        {
            "InstanceId": "i-05fcff864132bd9c5",
            "CurrentState": {
                "Code": 0,
                "Name": "pending"
            },
            "PreviousState": {
                "Code": 80,
                "Name": "stopped"
            }
        }
    ]
}

06 Repeat steps no. 1 - 5 to downsize (resize) any other underused EC2 instances available within the current region.

07 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Option 2: Disable the rule check. If the selected underused EC2 instance configuration must remain unchanged (some workload scenarios can result in low resource utilization by design), you should turn off the conformity rule check for the specified instance from the Cloud Conformity console.

References

Publication date Mar 13, 2017

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Underutilized EC2 Instance

Risk level: High