Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Trusted Advisor Service Limits

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: TrustedAdvisor-001

Monitor Service Limits to ensure that the allocation of resources in your AWS account is not reaching the limit set by Amazon in order to avoid resource starvation. Cloud Conformity make use of Amazon Trusted Advisor API to constantly check your account for service limits across multiple AWS products.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Service Limits checks can help you avoid resource starvation within you AWS environment, allowing you to expand fast your AWS infrastructure.
The following table shows the service limits supported by AWS Trusted Advisor:

Service Limits
AWS Elastic Block Store (EBS) Active volumes
Active snapshots
General Purpose (SSD) volume storage (GiB)
Provisioned IOPS
Provisioned IOPS (SSD) volume storage (GiB)
Magnetic volume storage (GiB)
AWS Relational Database Service (RDS) Clusters
Cluster parameter groups
Cluster roles
DB instances
DB parameter groups
DB security groups
DB snapshots per user
Event subscriptions
Max auths per security group
Option groups
Read replicas per master
Reserved Instances
Storage quota (GiB)
Subnet groups
Subnets per subnet group
AWS Simple Email Service (SES) Daily sending quota
AWS Virtual Private Cloud (VPC) Elastic IP addresses (EIPs)
Internet gateways
VPCs
Auto Scaling Auto Scaling groups
Launch configurations
AWS CloudFormation Stacks
Elastic Load Balancing (ELB) Active load balancers
Identity and Access Management (IAM) Groups
Instance profiles
Policies
Roles
Server certificates
Users

Note 1: As example, this conformity rule will demonstrate how to audit and remediate an EC2 Elastic IP address (EIP) service limit detected using Amazon Trusted Advisor.
Note 2: You can change the severity level (Very High, High, Medium, Low) for this rule on the Cloud Conformity dashboard.


Audit

To check AWS Service Limits with Amazon Trusted Advisor, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Trusted Advisor dashboard at .

03 In the left navigation panel choose Performance then click the Refresh button:

Refresh button

to refresh the performance checks.

04 Click on the Service Limits tab to expand the details panel and verify the Service Limits status for all supported AWS resources listed on the panel. Any resources marked with the Warning icon, e.g.

Warning icon

have an usage that is more than 80% of the service limit. In this case the limit reached is for VPC Elastic IP addresses (EIPs). To request an increase for the discovered service limit, see Remediation/Resolution section.

Using AWS CLI

01 Run describe-trusted-advisor-checks command (OSX/Linux/UNIX) using custom query filters to get the unique ID of the AWS Service Limits check available for the selected region:

aws support describe-trusted-advisor-checks
	--region us-east-1
	--language en
	--query "checks[?category=='service_limits'].id"

02 The command output should return the requested Trusted Advisor check ID:

f0725XTWY70

03 Run refresh-trusted-advisor-check command (OSX/Linux/UNIX) using the Service Limits check ID returned at the previous step as identifier to request a refresh of the Trusted Advisor check (the command does not produce an output):

aws support refresh-trusted-advisor-check
	--region us-east-1
	--check-id f0725XTWY70
	--query 'statuses[*].status'

04 Now run describe-trusted-advisor-check-refresh-statuses command (OSX/Linux/UNIX) using custom query filters and the same check ID as identifier to return the refresh request status of the selected AWS Trusted Advisor check:

aws support describe-trusted-advisor-check-refresh-statuses
	--region us-east-1
	--check-id f0725XTWY70
	--query 'statuses[*].status'

05 The command output should return the check refresh request status. If the refresh request is complete, the status returned should be "success":

[
    "success"
]

06 Run describe-trusted-advisor-check-result command (OSX/Linux/UNIX) using custom query filtering and sorting to return the resource limit data available for the selected AWS Service Limits check:

aws support describe-trusted-advisor-check-result
	--region us-east-1
	--language en
	--check-id f0725XTWY70
	--query 'result.sort_by(flaggedResources[?status!=`ok`],&metadata[2])[].metadata'
	--output table

07 The command output should return a table with the data for the selected Amazon Trusted Advisor check. The 4th column should display the limit amount, the 5th column the current usage for the resource and the 6th column should return the alert status of the check, i.e. "ok" (Green), "warning" (Yellow), "error" (Red) or "Not_available":

----------------------------------------------------------------------
|                  DescribeTrustedAdvisorCheckResult                 |
+-----------+-----+---------------------------------+---+---+--------+
| us-east-1 | EC2 | VPC Elastic IP addresses (EIPs) | 5 | 5 | Yellow |
+-----------+-----+---------------------------------+---+---+--------+

If the check status displayed in the 65h column returned at the previous step is Red or Yellow (as shown in the example above), the Service Limits check indicates that the AWS resource found has the usage greater than 80%. In this case the limit reached is for AWS VPC Elastic IP addresses (EIPs).

Remediation / Resolution

To request an increase for the VPC Elastic IP (EIP) limit, you need to perform the following actions:

Note: Requesting to increase the limit for the number of Elastic IPs per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at http://aws.amazon.com/contact-us/eip_limit_request/.

03 On the Create Case support page, perform the following:

  1. Under Regarding section, select Service Limit Increase.
  2. Choose Elastic IPs from the Limit Type dropdown list as the type of limit to increase.
  3. In the Request <number> section, perform the following actions:
    1. Select the AWS region where an EIP limit increase is required from the Region dropdown list.
    2. Select New VPC Elastic IP Address Limit from the Limit dropdown list.
    3. In the New limit value box, enter the new EIP limit value to request for the selected region.
  4. If you need to add multiple limit requests (e.g. for other AWS regions), click the Add another request button to add as many requests as needed.
  5. In the Use Case Description textbox, describe your use case so that AWS Support can evaluate your request faster and understand your need for additional EIPs.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request. A customer support representative will contact you shortly. Once the request is approved, you will be able to allocate new VPC Elastic IP addresses (EIPs) within the specified AWS regions.

References

Publication date May 2, 2017