Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Distribution Across Availability Zones

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon EC2 instances are spread across all Availability Zones (AZs) within an AWS cloud region in order to maintain reliability in the event of a service disruption.

Reliability

Having a balanced distribution of Amazon EC2 instances across all AZs in a region will improve the availability and reliability of your applications in case of a planned or unplanned service disruption. As account owner and/or administrator, you should make sure that no Availability Zone houses 50% fewer instances than any other AZ. An example of even and uneven compute distribution within an AWS region is provided in the table below where the Asia Pacific (Sydney) region and its Availability Zones are used for demonstration:

Even Distribution Uneven Distribution
Availability Zone Number of Instances Availability Zone Number of Instances
ap-southeast-2a 10 ap-southeast-2a 10
ap-southeast-2b 11 ap-southeast-2b 9
ap-southeast-2c 12 ap-southeast-2c 2

Audit

To determine if your Amazon EC2 instances are distributed evenly across AZs within each AWS region, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Click inside the Find Instance by attribute or tag (case-sensitive) box located under Instances, choose Availability Zone, select Equals from Operators, and choose one of the Availability Zones (AZs) available in the list. This filtering technique will help you to determine how many Amazon EC2 instances are deployed in the selected Availability Zone. Repeat this step for each other AZ available in the Availability Zone list and note the number of EC2 instances returned for each zone. If the number of instances is not evenly distributed across all the Availability Zones (AZs) within the selected AWS region, the reliability of the cloud applications running on these instances can be affected in the event of an Amazon EC2 service disruption.

05 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 instances provisioned within the us-east-1a Availability Zone, in the US East (N. Virginia) region: 

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=availability-zone,Values=us-east-1a"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567dabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Repeat steps no. 1 and 2 for each Availability Zone (AZ) in the selected AWS cloud region. The describe-instances command output should return the IDs of the Amazon EC2 instances provisioned within each AZ. If the number of EC2 instances is not evenly distributed across all the Availability Zones within the selected AWS region, the reliability of the cloud applications running on these instances can be affected in the event of an Amazon EC2 service disruption.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To equally distribute your existing Amazon EC2 instances across all the Availability Zones (AZs), you must to migrate your EC2 instances between AZs. To migrate the required instances, perform the following operations:

Note: As an example, the Remediation section will demonstrate how to migrate a Linux EC2 instance from us-east-1a to us-east-1b, within the US East (N. Virginia) region:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to migrate to another Availability Zone (AZ).

05 Choose Actions from the top-right menu, select Image and templates, and choose Create image.

06 On the Create image setup page, provide the following information:

  1. For Image name, type a unique name for your new Amazon Machine Image (AMI).
  2. (Optional) For Image description - optional, provide a short description that reflects the usage of the selected EC2 instance.
  3. Select the Reboot instance setting checkbox to ensure data consistency. When this option is selected, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken.
  4. (Optional) For Tags - optional, choose Tag image and snapshots together, and use the Add new tag button to create and apply user-defined tags to the new image. Tags can be used to search and filter your cloud resources or track your AWS costs.
  5. Choose Create image to create your new AMI.

07 In the left navigation panel, under Images, select AMIs, and check the Status column to determine the state of your new AMI. Once the Status is set to Available, the image is ready to be used to relaunch your Amazon EC2 instance in the appropriate Availability Zone (AZ).

08 In the left navigation panel, under Instances, select Instances, choose Launch instances, and perform the following actions to launch your new EC2 instance:

  1. For Name and tags, provide a name tag for your instance in the Name box. (Optional) Choose Add additional tags to apply user-defined tags to your new EC2 instance. You can track compute cost and other criteria by tagging your instance.
  2. For Application and OS Images (Amazon Machine Image), select My AMIs tab, choose Owned by me, and select the name of the AMI created in step no. 6 from the Amazon Machine Image (AMI) dropdown list.
  3. For Instance type, select the required instance type from the Instance type dropdown list (must match the hardware configuration of the source instance).
  4. For Key pair (login), you can select the same key pair as the source instance from the Key pair name - required dropdown list or choose Create new key pair to create a new key pair for your instance.
  5. For Network settings, perform the following actions:
    1. Choose Select existing security group under Firewall (security groups), and select the appropriate security group(s) from the Common security groups dropdown list (must match the security group configuration of the source instance).
    2. Choose Edit and select the target Availability Zone (e.g., us-east-1b) from the Availability Zone dropdown list. Make sure that other network settings align with the source instance settings.
  6. For Configure storage, configure the storage device settings (must match the storage configuration of the source instance).
  7. For Advanced details, configure the advanced settings supported by your EC2 instance (must match the configuration of the source instance).
  8. For Summary, review the instance details, and choose Launch instance to deploy your new, compliant Amazon EC2 instance.
  9. Choose View all instances to view your new EC2 instance. Once the Instance State is set to Running, your new instance is ready to use.

09 (Optional) To stop incurring any charges for your non-compliant (source) instance, you must terminate it. To shut down the instance, perform the following actions:

  1. In the left navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to terminate.
  3. Choose Instance state and select Terminate (delete) instance.
  4. In the Terminate (delete) instance confirmation box, review the instance details, then choose Terminate (delete) to terminate the selected EC2 instance.

10 Repeat steps no. 2 – 9 for each Amazon EC2 instance that you want to relocate, available within the current AWS cloud region.

11 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information for the Amazon EC2 instance that you want to migrate to another Availability Zone (AZ): 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[]'

02 The command output should return the configuration information necessary for re-creating your Amazon EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [
			{
				"DeviceName": "/dev/xvda",
				"Ebs": {
					"AttachTime": "2025-07-01T11:00:32+00:00",
					"DeleteOnTermination": true,
					"Status": "attached",
					"VolumeId": "vol-0abcd1234abcd1234"
				}
			}
		],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Association": {
					"IpOwnerId": "amazon",
					"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
					"PublicIp": "xxx.xxx.xxx.xxx"
				},
				"Attachment": {
					"AttachTime": "2025-07-01T11:00:31+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attached",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
				"PrivateIpAddress": "172.10.20.30",
				"PrivateIpAddresses": [
					{
						"Association": {
							"IpOwnerId": "amazon",
							"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
							"PublicIp": "xxx.xxx.xxx.xxx"
						},
						"Primary": true,
						"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
						"PrivateIpAddress": "172.10.20.30"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"HibernationOptions": {
			"Configured": false
		},
		"MetadataOptions": {
			"State": "applied",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PlatformDetails": "Linux/UNIX",
		"UsageOperation": "RunInstances",
		"UsageOperationUpdateTime": "2025-07-01T11:00:31+00:00",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": true,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"NetworkPerformanceOptions": {
			"BandwidthWeighting": "default"
		},
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-01234abcd1234abcd",
		"ImageId": "ami-0abcd1234abcd1234",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
		"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T10:01:31+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.10.20.30",
		"PublicIpAddress": "xxx.xxx.xxx.xxx"
	}
]

03 Run create-image command (OSX/Linux/UNIX) to create an Amazon Machine Image (AMI) from the source Amazon EC2 instance described in the previous step. Include the --no-reboot command parameter to ensure data consistency. When this parameter is included, Amazon EC2 reboots the instance so that data is at rest when snapshots of the attached volumes are taken: 

aws ec2 create-image
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--name "Project5 Prod Instance AMI"
	--description "Production Stack AMI for AZ Migration"
	--no-reboot

04 The command output should return the ID of the new Amazon Machine Image (AMI): 

{
	"ImageId": "ami-0abcdabcdabcdabcd"
}

05 Perform run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created in the previous steps. Use the information returned in step no. 2 to configure your new EC2 instance. Set the --subnet-id parameter value to the ID of the VPC subnet to launch the instance into. The chosen subnet must be associated with the target Availability Zone (in this case, us-east-1b): 

aws ec2 run-instances
	--region us-east-1
	--image-id ami-0abcdabcdabcdabcd
	--count 1
	--instance-type t2.micro
	--key-name cc-project5-ssh-key
	--security-group-ids sg-0abcd1234abcd1234
	--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=cc-project5-prod-instance}]'
	--subnet-id subnet-01234abcd1234abcd
	--query 'Instances[]'

06 The command output should return the configuration information for the newly created EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Attachment": {
					"AttachTime": "2025-07-01T11:50:48+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attaching",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
				"PrivateIpAddress": "172.20.30.40",
				"PrivateIpAddresses": [
					{
						"Primary": true,
						"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
						"PrivateIpAddress": "172.20.30.40"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"StateReason": {
			"Code": "pending",
			"Message": "pending"
		},
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"MetadataOptions": {
			"State": "pending",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": false,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-0abcd1234abcd1234",
		"ImageId": "ami-0abcdabcdabcdabcd",
		"State": {
			"Code": 0,
			"Name": "pending"
		},
		"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
		"PublicDnsName": "",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T11:50:48+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1b"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.20.30.40"
	}
]

07 (Optional) You can terminate the source (non-compliant) EC2 instance in order to stop incurring charges for it. To shut down the instance, run **terminate-instances** command (OSX/Linux/UNIX) with the source instance ID as the identifier parameter: 

aws ec2 terminate-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

08 The output should return the **terminate-instances** command request information: 

{
	"TerminatingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 32,
				"Name": "shutting-down"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

09 Repeat steps no. 1 – 8 for each Amazon EC2 instance that you want to relocate, available in the selected AWS cloud region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 6, 2017

Related EC2 rules