Open menu
-->

AWS EC2 Instance Tenancy Type

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS EC2 instances are using the appropriate tenancy model, i.e. Multi-Tenant Hardware (shared) or Single-Tenant Hardware (dedicated) in order to comply with your organization regulatory security requirements. Based on these tenancy models, AWS provides two types of instances: Shared Instances - which run on shared hardware where the isolation is logical and Dedicated Instances/Dedicated Hosts - which run in single-tenant hardware where the isolation is physical. Cloud Conformity strongly recommends using EC2 Dedicated Instances or Dedicated Hosts if the regulatory and security requirements prohibit your organization data from being physically stored on shared hardware.

This rule resolution is part of the Cloud Conformity Security Package

Using the right tenancy model for your EC2 instances should reduce the concerns around security at the instance hypervisor level and promote better compliance." note="Note: Not all EC2 instance types are eligible for the dedicated tenancy model. To verify if your EC2 instance type can be launched in a dedicated hardware environment, consult the updated AWS documentation at https://aws.amazon.com/ec2/purchasing-options/dedicated-instances/.

Audit

To determine the type of tenancy, shared or dedicated, used by your EC2 instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, check the Tenancy attribute value to determine the selected EC2 instance tenancy type. If the Tenancy current value is set to default, the instance is running on Multi-Tenant Hardware (logically isolated). Otherwise, if the Tenancy value is set to dedicated, the instance is running on Single-Tenant Hardware (physically isolated at the host hardware level). To determine if you have any EC2 Dedicated Hosts (physically isolated), just select Dedicated Hosts from the EC2 navigation panel and check for any instances listed.

07 Repeat steps no. 4 – 6 to verify the tenancy type for the rest of the EC2 instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-07e1142902ec19a44  |
|  i-06d1691e53b1576b9  |
|  i-0b3cdfa00d01f7d0c  |
+-----------------------+

03 Run again describe-instances command (OSX/Linux/UNIX) using an instance ID returned at the previous step as identifier and custom output filtering to determine the type of tenancy used by the selected EC2 instance:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-07e1142902ec19a44
	--query 'Reservations[*].Instances[*].Placement.Tenancy'

04 The command output should return the tenancy of the selected instance:

  1. If the value returned is default, the instance is running on a Multi-Tenant Hardware (logically isolated):
    [
        [
            "default"
        ]
    ]
    
  2. If the value returned is dedicated, the instance is running on a Single-Tenant Hardware (physically isolated):
    [
        [
            "dedicated"
        ]
    ]
    
  3. If the value returned is host, the instance is running on a Single-Tenant Hardware (physically isolated) that gives you full control over the instance placement at the host level:
    [
        [
            "host"
        ]
    ]
    

05 Repeat steps no. 3 and 4 to verify the tenancy type for other EC2 instances available in the current region.

06 Repeat steps no. 1 – 5 to perform the entire audit process for other AWS regions.

Remediation / Resolution

To recreate/re-launch your running EC2 instances with the required tenancy, perform the following:

Note: You can launch or re-launch EC2 Dedicated Instances within both dedicated and non-dedicated VPCs by setting the instance tenancy type to “dedicated” during the launch process.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 First, create an image (AMI) from the necessary EC2 instance. To build the instance AMI (Amazon Machine Image), perform the following:

  1. In the left navigation panel, under INSTANCES section, choose Instances.
  2. Select the EC2 instance that you want to re-launch under a different tenancy model (see the Audit section to identify the EC2 instances tenancy type).
  3. Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
  4. Inside Create Image dialog box, provide the following information:
    • Enter a name for the new AMI in the Image Name box.
    • In the Image description box, provide a description that reflects the usage of the EC2 image.
    • Leave No reboot option unchecked so the AWS can guarantee the file system integrity for the new image.
  5. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI creation may take few minutes. Once the process is complete the image status should change from pending to available.

04 Now that the AMI is ready for use, re-launch the selected EC2 instance with the required tenancy type. To launch the instance using the AMI, perform the following actions:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  3. On the Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at the previous step.
  4. On the Choose an Instance Type page, select the same instance type used then click Next: Configure Instance Details button.
  5. On the Configure Instance Details page, configure the necessary features and options available on the page (except the tenancy type) based on your running EC2 instance requirements.
  6. From the Tenancy dropdown list select one of the following options based on your organization compliance requirements:
    • Shared: Run a shared hardware instance – to deploy the instance in a logically isolated hardware environment (Shared Instance). This is the default tenancy type used by most EC2 instances deployed in the AWS cloud.
    • Dedicated: Run a Dedicated instance – to deploy the instance in a physically isolated hardware environment (Dedicated Instance). This type of tenancy is used by a subset of instances that have special needs when it comes to security and compliance requirements.
    • Dedicated host: Launch this instance on a Dedicated host – to deploy the instance in a physically isolated hardware environment (Dedicated Host). An EC2 Dedicated Host gives you the same level of isolation as a Dedicated Instance but provides additional visibility and control over how instances are placed on the physical machine so you can consistently deploy your instances to the same physical environment over time.
  7. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, without changing any configuration.
  8. On the Configure Security Groups, choose Select an existing security group and select the existing/running instance security group. Click the Review and Launch button, review your instance configuration details and click Launch.
  9. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the running EC2 instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  10. Click View Instances to return to the Instances page. The new instance will have the same data and configuration (except the tenancy model) as the existing (old) EC2 instance.

05 Once you have tested the new instance launched on the appropriate hardware environment, you can transfer the Elastic IP (EIP) from the old EC2 instance to the new instance for reference purposes. If the old instance does not have an EIP attached you will have to update the domain DNS record(s) or any other application references to switch to the new instance IP. To transfer the Elastic IP, perform the following:

  1. In the navigation panel, under NETWORK & SECURITY section, select Elastic IPs.
  2. Select the EIP address attached to the old running instance, click the Actions dropdown button then select Disassociate Address.
  3. In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
  4. Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
  5. In the Associate Address dialog box, select the new EC2 instance created at step no. 4 from the Instance dropdown list and then click Associate to attach the EIP.

06 Now it’s safe to terminate the old EC2 instance in order to stop incurring charges for it. To shut down the instance, perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2 instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the running EC2 instance metadata. The metadata will be useful later when this instance will be recreated within a different hardware environment:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-07e1142902ec19a44
	--query 'Reservations[*].Instances[*].[KeyName,InstanceType,SecurityGroups]'

02 The command output should return the running EC2 instance metadata requested:

[
    "MyEC2KeyPair",
    "m3.large",
    [
        {
            "GroupName": "MyEC2SecurityGroup",
            "GroupId": "sg-e342c5b9"
        }
    ]
]

03 Run create-image command (OSX/Linux/UNIX) to create an image from your existing EC2 instance. Include the –no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-07e1142902ec19a44
	--name "EC2 Shared Instance AMI"
	--description "Web App Stack AMI ver. 1.8 (Shared Tenancy)"
	--no-reboot

04 The command output should return the new Amazon Machine Image (AMI) ID:

{
    "ImageId": "ami-b01cd9dd"
}

05 Run run-instances command (OSX/Linux/UNIX) to launch the EC2 instance from the image created at the previous step using one of the following instance types:

  1. Shared Instance - the following command example creates an EC2 instance from an AMI with the ID ami-b01cd9dd, using the default tenancy model (logically isolated hardware environment):
    aws ec2 run-instances
    	--region us-east-1
    	--image-id ami-b01cd9dd
    	--count 1
    	--instance-type m3.large
    	--key-name MyEC2KeyPair
    	--security-groups MyEC2SecurityGroup
    	--placement Tenancy=default
    
  2. The command output should return the new EC2 instance configuration metadata, including the tenancy type metadata (highlighted):
    {
        "OwnerId": "123456789012",
        "ReservationId": "r-0a4341fac605c7b4b",
        "Groups": [],
        "Instances": [
                ...
    
                "Placement": {
                    "Tenancy": "default",
                    "GroupName": "",
                    "AvailabilityZone": "us-east-1d"
                }
                ...
            }
        ]
    }
    
  3. Dedicated Instance - the following command example creates an EC2 instance from an AMI with the ID ami-b01cd9dd, using the dedicated tenancy model (physically isolated hardware environment):
    aws ec2 run-instances
    	--region us-east-1
    	--image-id ami-b01cd9dd
    	--count 1
    	--instance-type m3.large
    	--key-name MyEC2KeyPair
    	--security-groups MyEC2SecurityGroup
    	--placement Tenancy=dedicated
    
  4. The command output should return the new EC2 instance configuration metadata, including the tenancy type metadata (highlighted):
    {
        "OwnerId": "123456789012",
        "ReservationId": "r-0356996e1ddbde249",
        "Groups": [],
        "Instances": [
                ...
                "Placement": {
                    "Tenancy": "dedicated",
                    "GroupName": "",
                    "AvailabilityZone": "us-east-1d"
                }
                ...
            }
        ]
    }
    
  5. Dedicated Host - the following command example creates an EC2 instance from an AMI with the ID ami-b01cd9dd, using the default tenancy model (physically isolated hardware environment):
    aws ec2 run-instances
    	--region us-east-1
    	--image-id ami-b01cd9dd
    	--count 1
    	--instance-type m3.large
    	--key-name MyEC2KeyPair
    	--security-groups MyEC2SecurityGroup
    	--placement Tenancy=host
    
  6. The command output should return the new EC2 instance configuration metadata, including the tenancy type metadata (highlighted):
    {
        "OwnerId": "123456789012",
        "ReservationId": "r-01f79c9143d17f8c6",
        "Groups": [],
        "Instances": [
                ...
                "Placement": {
                    "Tenancy": "host",
                    "GroupName": "",
                    "AvailabilityZone": "us-east-1d"
                }
                ...
            }
        ]
    }
    

06 Transfer the Elastic IP from the old EC2 instance to the new EC2 instance in order to reference the new one. To transfer the Elastic IP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the old EC2 instance:
    aws ec2 disassociate-address
    	--association-id eipassoc-50efe4ca9
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:
    aws ec2 associate-address
    	--instance-id i-07e1142902ec19a44
    	--allocation-id eipalloc-50efe4ca9
    

07 Once you have verified and tested your new EC2 instance, you should terminate the old instance to stop incurring charges for the resource. To terminate the EC2 old instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-07e1142902ec19a44

08 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-07e1142902ec19a44",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

References

Publication date Jun 14, 2016