Open menu
-->

AWS EC2 Best Practices

Amazon Elastic Cloud Compute (EC2) provides on demand compute capacity that can be tailored to meet your specific system requirements.



Amazon Elastic Cloud Compute (EC2) provides on demand compute capacity that can be tailored to meet your specific system requirements. EC2 servers can be configured and launched in a matter of minutes, allowing customers to scale up and down as usage requirements change.

Cloud Conformity checks Amazon Elastic Compute Cloud (EC2) service according to the following rules:

AWS Approved/Golden AMI
Ensure all AWS EC2 instances are launched from approved AMIs.

AWS Blacklisted Amazon Machine Image
Ensure there are no AWS EC2 instances launched from blacklisted AMIs.

Enable AWS AMI Encryption
Ensure that your existing AMIs are encrypted to meet security and compliance requirements.

Amazon Machine Image Naming Conventions
Ensure AWS AMIs are using proper naming conventions to follow AWS tagging best practices.

Check for AWS AMI Age
Check for any AMIs older than 180 days available within your AWS account.

Unused Amazon Machine Images
Identify and remove any unused Amazon Machine Images (AMIs) to optimize AWS costs.

Unassociated Elastic IP Addresses
Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.

Publicly Shared App-Tier AMIs
Ensure all customer owned Amazon Machine Images for app tier are not shared publicly.

App-Tier EC2 Instances Without Elastic or Public IP Addresses
Ensure that EC2 instances within the app tier have no Elastic or Public IP addresses associated.

Check app-tier ELB subnet connectivity to Internet Gateway
Ensure the route table associated with the app-tier ELB subnets has the default route configured to allow connectivity to VPC Internet Gateway (IGW).

IAM Roles for App-Tier EC2 Instances
Ensure an IAM Role for Amazon EC2 is created for app tier.

Create and Configure App-Tier Security Group
Create app-tier security group and ensure it allows inbound connections from the app-tier ELB security group for specific ports.

EC2 Instances Distribution Across Availability Zones
Ensure even distribution of EC2 instances across Availability Zones within a region

EC2-Classic Elastic IP Address Limit
Ensure that your account does not reach the limit set by AWS for the number of allocated Elastic IPs.

Data-Tier Instances Without Elastic or Public IP Addresses
Ensure instances within data tier have no Elastic or Public IP addresses associated.

Create and Configure Data-Tier Security Group
Create data-tier security group and ensure it allows inbound connections from the app-tier security group for explicit ports.

Restrict data-tier subnet connectivity to VPC NAT Gateway
Ensure that the route table associated with the data-tier subnets has no default route (0.0.0.0/0) defined to allow connectivity to the VPC NAT Gateway.

Unrestricted Default Security Groups
Ensure default security groups restrict all public traffic to follow AWS security best practices.

Default EC2 Security Groups In Use
Ensure default EC2 security groups are not in use in order to follow AWS security best practices.

Detailed Monitoring for AWS EC2 Instances
Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely.

AWS EC2 Desired Instance Type
Ensure all your AWS EC2 instances are of a given instance type (e.g. m3.medium).

Review AWS EC2 Dedicated Instances
Ensure EC2 dedicated instances are regularly reviewed for cost optimization (informational).

EC2 Instance Not In Public Subnet
Ensure no backend EC2 instances are running in public subnets.

AWS EC2 Reserved Instances Failed Purchases
Ensure that none of your AWS EC2 Reserved Instance purchases have been failed.

AWS EC2 Reserved Instances Pending Purchases
Ensure that none of your AWS EC2 Reserved Instance purchases are pending.

AWS EC2 Reserved Instances Recent Purchases
Ensure EC2 Reserved Instance purchases are regularly reviewed for cost optimization (informational).

AWS EC2 Reserved Instances Purchase Recommendations
Upgrade EC2 instances to Reserved Instances (RIs) by following our recommendations for purchasing RIs.

Unused EC2 Reserved Instances
Ensure that your Amazon EC2 Reserved Instances are being fully utilized.

Total Number of EC2 Instances
Ensure your AWS account has not reached the limit set for the number of EC2 instances.

AWS EC2 Instance Type Generation
Ensure your AWS servers are using the latest generation of EC2 instances for price-performance improvements.

Idle AWS EC2 Instances
Identify idle AWS EC2 instances and stop or terminate them in order to optimize AWS costs.

Instance In Auto Scaling Group
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices.

AWS EC2 Platform
Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform.

AWS EC2 Instance Limit
Ensure your AWS account does not reach the limit set by Amazon for the number of instances.

EC2 Instance Naming Conventions
Ensure EC2 Instances are using proper naming conventions to follow AWS tagging best practices.

EC2 Instances with Scheduled Events
Identify any AWS EC2 instances that have scheduled events and take action to resolve them.

EC2 Instance Security Group Rules Count
Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined.

AWS EC2 Instance Tenancy Type
Ensure EC2 instances have the required tenancy for security and regulatory compliance requirements.

EC2 Instance Termination Protection
Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

AWS EC2 Instance Age
Check for running AWS EC2 instances older than 180 days available within your AWS account.

AWS EC2 Instance IAM Roles
Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances

Overutilized AWS EC2 Instances
Identify overutilized EC2 instances and upgrade them to optimize application response time.

Publicly Shared AWS AMIs
Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.

EC2 Reserved Instance Lease Expiration In The Next 30 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.

EC2 Reserved Instance Lease Expiration In The Next 7 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.

EC2 Security Groups Count
Ensure your AWS account does not have an excessive number of security groups per region.

Security Group Naming Conventions
Ensure security groups are using proper naming conventions to follow AWS tagging best practices.

EC2 Security Group Port Range
Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.

Security Groups Prefixed with "launch-wizard" In Use
Ensure EC2 security groups prefixed with "launch-wizard" are not in use in order to follow AWS security best practices.

EC2 Security Groups with RFC-1918 CIDRs
Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.

EC2 Security Group Rules Count
Ensure your EC2 security groups do not have an excessive number of rules defined.

Descriptions for Security Group Rules
Ensure AWS EC2 security group rules have descriptive text for organization and documentation.

Monitor CPU Credit Balance for T2 Instances
Ensure the CPU credit balance for all T2 instances is being monitored for low values.

Underutilized AWS EC2 Instances
Identify underutilized EC2 instances and downsize them in order to optimize your AWS costs.

EC2 Security Group Unrestricted Access
Ensure no EC2 security group allows unrestricted (0.0.0.0/0 or ::/0) ingress/egress access.

Unrestricted CIFS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 and (CIFS).

Unrestricted DNS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53 (DNS).

Unrestricted Elasticsearch Access
Ensure no security group allows unrestricted inbound access to TCP port 9200 (Elasticsearch).

Unrestricted FTP Access
Ensure no EC2 security group allows unrestricted inbound access to TCP ports 20 and 21 (FTP).

Unrestricted HTTP Access
Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP).

Unrestricted HTTPS Access
Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS).

Unrestricted ICMP Access
Ensure no security group allows unrestricted inbound access using Internet Control Message Protocol (ICMP).

Unrestricted Inbound Access on Uncommon Ports
Ensure no EC2 security group allows unrestricted inbound access to any uncommon ports.

Unrestricted MongoDB Access
Ensure no security group allows unrestricted ingress access to MongoDB port 27017

Unrestricted MSSQL Database Access
Ensure no security group allows unrestricted inbound access to TCP port 1433 (MSSQL).

Unrestricted MySQL Database Access
Ensure no security group allows unrestricted inbound access to TCP port 3306 (MySQL).

Unrestricted NetBIOS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Unrestricted Oracle Database Access
Ensure no security group allows unrestricted inbound access to TCP port 1521 (Oracle Database).

Unrestricted Outbound Access on All Ports
Ensure that your EC2 security groups do not allow unrestricted outbound/egress access.

Unrestricted PostgreSQL Database Access
Ensure no security group allows unrestricted inbound access to TCP port 5432 (PostgreSQL Database).

Unrestricted RDP Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 3389 (RDP).

Unrestricted RPC Access
Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC).

Unrestricted SMTP Access
- Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP).

Unrestricted SSH Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 22 (SSH).

Unrestricted Telnet Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 (Telnet).

Unused AWS Elastic Network Interfaces
Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.

Unused AWS EC2 Key Pairs
Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.

EC2-VPC Elastic IP Address Limit
Ensure that your account does not reach the limit set by AWS for the number of Elastic IPs.

Publicly Shared Web-Tier AMIs
Ensure all customer owned Amazon Machine Images for web tier are not shared publicly.

Web-Tier EC2 Instances Without Elastic or Public IP Addresses
Ensure EC2 instances within web tier have no Elastic or Public IP addresses associated.

Check web-tier ELB subnet connectivity to Internet Gateway
Ensure the route table associated with the web-tier ELB subnets has the default route defined to allow connectivity to the VPC's Internet Gateway (IGW).

Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances
Ensure IAM policy for EC2 IAM roles for web tier is configured.

IAM Roles for Web-Tier EC2 Instances
Ensure an IAM Role for Amazon EC2 is created for web tier.

Create and Configure Web-Tier Security Group
Create web-tier security group and ensure it allows inbound connections from the web-tier ELB security group for explicit ports.

Check web-tier subnet connectivity to VPC NAT Gateway
Ensure that the route table associated with the web-tier subnets has the default route (0.0.0.0/0) defined to allow connectivity to the VPC NAT Gateway.