Open menu

Check for EC2 Instances with Blacklisted Instance Types

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that none of the Amazon EC2 instances provisioned in your AWS account have their instance type blacklisted by your organization. Prior to running this rule by the Cloud Conformity engine, the list with the blacklisted EC2 instance types must be configured within the rule settings, on the Cloud Conformity account dashboard.

Setting limits for the instance types used within your organization can help you address internal security compliance and prevent unexpected charges on your AWS bill. Furthermore, blacklisting a small set of EC2 instance types, usually extremely large instance types such as r4.16xlarge or c5d.18xlarge, is much more efficient than having to explicitly permit a large number of allowed types.

Audit

To determine if there are any EC2 instances with the instance type blacklisted, available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account, access Check for EC2 Instances with Blacklisted Instance Types conformity rule settings and copy the instance type(s) blacklisted by your organization.

02 Sign in to AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, within INSTANCES section, choose Instances.

05 Click inside the attributes filter box located under the EC2 dashboard top menu, select Instance Type, paste the name of the blacklisted instance type copied at step no. 1 (e.g. r4.16xlarge) and press Enter. Repeat this action for each blacklisted instance type. If the filtering process returns one or more EC2 instances as result, the instances available in the current region were launched using blacklisted instance types, therefore you must take action and raise a support case to request AWS to deny creating EC2 instances using forbidden instance types (see Remediation/Resolution section).

06 Change the AWS region from the navigation bar and repeat step no. 5 for all other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity account, access Check for EC2 Instances with Blacklisted Instance Types conformity rule settings and copy the instance type(s) blacklisted by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) using the instance type copied at the previous step as filtering parameter and custom query filters, to list the ID(s) of the EC2 instances launched using the specified type, in the selected AWS region. Replace <blacklisted-instance-type> placeholder with the instance type copied at step no. 1. Execute this command for each blacklisted instance type defined within the rule settings:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-state-name,Values=running" "Name=instance-type,Values=<blacklisted-instance-type>"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested Amazon EC2 instance ID(s):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-012341234abcdabcd  |
|  i-0abcdabcd12341234  |
+-----------------------+

If describe-instances command output returns one or more EC2 instances IDs as result, there are EC2 instances in the selected region that were launched using blacklisted instance types, therefore you must take action and create a support case to request AWS to deny launching EC2 instances using forbidden instance types.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

Remediation / Resolution

To ensure that no EC2 instances are launched within your AWS account using blacklisted instance types, perform the following actions:

Note: Creating a support case to request the instance type restrictions using the AWS cloud API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Support Center page, perform the following actions:

  1. Select My support cases tab and click Create case button to initiate the request process.
  2. Under Create case, select Account and Billing Support option.
  3. In the Case classification section, select Account from the Type dropdown list and Other Account Issues from the Category dropdown list.
  4. Within Case description section, enter the request subject, e.g. "Deny launching AWS EC2 instances with specific instance types" in the Subject box, and provide a brief description where you list the forbidden instance types and explain why you need to block the provisioning of EC2 instances using those specific instance types in the Description area. This will help the AWS support team to evaluate your case.
  5. In the Contact options section, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support can use to respond to your request. You can either choose to be contacted via email and AWS Support Center or via phone call.
  6. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Apr 15, 2019