Open menu
-->

Idle AWS EC2 Instances

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Cost
optimisation

Identify any Amazon EC2 instances that appear to be idle and stop or terminate them to help lower the cost of your monthly AWS bill. By default, an EC2 instance is considered 'idle' when meets the following criteria (to declare the instance 'idle' both conditions must be true):

  • The average CPU Utilization has been less than 2% for the last 7 days.
  • The average Network I/O has been less than 5 MB for the last 7 days.

Note 1: For this rule Cloud Conformity assumes that your EC2 instances are tagged with 'Role' and 'Owner' tags which provide visibility into their usage profile and help you decide whether it's safe or not to stop or terminate these resources. Knowing the role and the owner of an EC2 instance before you take the decision to stop/terminate it is very important because, for example, a CPU utilization less than 2% for a 48 hour period may mean that the instance is being idle or not being used at all.
Note 2: You can change the default threshold for this rule on the Cloud Conformity console and set your own values for CPU and Network I/O usage, and the preferred number of days for each condition in order to configure the idleness. The console also provides information about each EC2 instance marked as idle such as region, ID, instance type, launch time, operating system, tags and more to help you decide whether to stop or terminate the instance.

This rule resolution is part of the Cloud Conformity Cost Optimisation Package

Idle instances represent a good candidate to reduce your monthly AWS costs and avoid accumulating unnecessary EC2 usage charges.

Audit

To identify any idle EC2 instances currently available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Monitoring tab from the dashboard bottom panel.

06 Within the CloudWatch metrics section, perform the following actions:

  1. Click on the CPU Utilization (Percent) usage graph thumbnail to open the instance CPU usage details box. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:
    • From the Statistic dropdown list, select Average.
    • From the Time Range list, select Last 1 Week.
    • From the Period dropdown list, select 1 Hour.
    Once the monitoring data is loaded, verify the instance CPU usage for the last 7 days. If the average usage (percent) has been less than 2%, e.g. If the average usage (percent) has been less than 2%, the selected EC2 instance qualifies as candidate for an idle instance. Click Close to return to the dashboard.
  2. Click on the Network In (Percent) usage graph thumbnail to open the instance network usage details box. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:
    • From the Statistic dropdown list, select Average.
    • From the Time Range list, select Last 1 Week.
    • From the Period dropdown list, select 1 Hour.
    Once the monitoring data is loaded, verify the incoming network traffic for the last 7 days. If the average traffic has been less than 5 MB, e.g. If the average traffic has been less than 5 MB, the selected EC2 instance qualifies as candidate for an idle instance. Click Close to exit.
  3. Click on the Network Out (Percent) usage graph thumbnail to open the instance network usage details box. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:
    • From the Statistic dropdown list, select Average.
    • From the Time Range list, select Last 1 Week.
    • From the Period dropdown list, select 1 Hour.

    Once the monitoring data is loaded, verify the outgoing network traffic for the last 7 days. If the average traffic has been less than 5 MB, e.g. If the average traffic has been less than 5 MB, the selected EC2 instance qualifies as candidate for an idle instance. Click Close to exit and return to the EC2 dashboard.

07 Now determine the selected instance role within the stack and its owner by checking the Role and Owner tags values assigned to the EC2 instance in order to decide whether it's safe or not to stop/terminate the resource. To check for the necessary tags, perform the following:

  1. Select the Tags tab from the dashboard bottom panel.
  2. Verify the requested tags and their values:
    • Check the Role tag value, available in the Value column, or any Role-like tag value that can provide information about the usage profile of the instance (e.g. legacy-webapp-test-server) in order to decide if the resource can be stopped/terminated or not.
    • Check the Owner tag value, available in the Value column, or any Owner-like tag value that can provide the contact information (name, email, phone number) of the resource owner in order to get the confirmation to stop/terminate or not the selected EC2 instance.
    If all conditions outlined at step no. 6 (a, b + c) and 7 are met, the selected EC2 instance is considered "idle" and can be shut down or terminated in order to stop incurring charges for this resource.

08 Repeat steps no. 4 – 7 to verify the CPU usage, the Network In/Out traffic and the role for the rest of the EC2 instances provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all the existing EC2 instances available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-07a371cacb4f19acd  |
|  i-08c5346e06d9425e7  |
|  i-0b3cdfa00d01f7d0c  |
+-----------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the CPUUtilization metric representing the CPU usage of the selected EC2 instance. Change the --start-time (start recording date) and --end-time (stop recording date) parameters value to choose your own time frame for recording the resource CPU usage. Also, set the --period parameter value based on your requirements to define the granularity - in seconds - of the returned datapoints. A period can be as short as one minute (60 seconds) or as long as one day (86400 seconds). The following command example returns the average CPU usage of an EC2 instance identified by the ID i-07a371cacb4f19acd, usage data captured during a 7 days period (set by the --start-time and --end-time command parameters), using 1 hour period as the granularity of the returned datapoints (set by the --period parameter):

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name CPUUtilization
	--start-time 2016-10-04T13:16:00
	--end-time 2016-10-11T13:16:00
	--period 3600
	--namespace AWS/EC2
	--statistics Average
	--dimensions Name=InstanceId,Value=i-07a371cacb4f19acd

04 The command output should return the CPU usage details requested:

{
    "Datapoints": [
        {
            "Timestamp": "2016-10-04T13:16:00Z",
            "Average": 0.2085,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2016-10-04T14:16:00Z",
            "Average": 0.033499999999999995,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2016-10-04T15:16:00Z",
            "Average": 0.10425,
            "Unit": "Percent"
        },

        ...

        {
            "Timestamp": "2016-10-11T10:16:00Z",
            "Average": 0.030999999999999993,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2016-10-11T11:16:00Z",
            "Average": 0.02833333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2016-10-11T12:16:00Z",
            "Average": 0.02783333333333333,
            "Unit": "Percent"
        }
    ],
    "Label": "CPUUtilization"
}

If the average CPU usage data returned is less than 2%, the selected EC2 instance qualifies as candidate for the idle instance.

05 Run again get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the NetworkIn metric representing the incoming network traffic for the selected EC2 instance. The following command example returns the average incoming network traffic received by an EC2 instance identified by the ID i-07a371cacb4f19acd, usage data captured during a 7 days period (set by the --start-time and --end-time parameters), using 1 hour period as the granularity of the returned datapoints (set by the --period parameter):

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name NetworkIn
	--start-time 2016-10-04T13:16:22
	--end-time 2016-10-11T13:16:22
	--period 3600
	--namespace AWS/EC2
	--statistics Average
	--dimensions Name=InstanceId,Value=i-07a371cacb4f19acd

06 The command output should return the instance network traffic data requested:

{
    "Datapoints": [
        {
            "Timestamp": "2016-10-04T13:16:22Z",
            "Average": 220.0,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-04T14:16:22Z",
            "Average": 145.0,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-04T15:16:22Z",
            "Average": 292.0,
            "Unit": "Bytes"
        },

        ...

        {
            "Timestamp": "2016-10-11T10:16:22Z",
            "Average": 151.0,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-11T11:16:22Z",
            "Average": 430.0,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-11T12:16:22Z",
            "Average": 2330.777777777778,
            "Unit": "Bytes"
        }
    ],
    "Label": "NetworkIn"
}

If the average incoming traffic values returned are less than 5 MB, the selected EC2 instance qualifies as candidate for the idle instance.

07 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the NetworkOut metric representing the outgoing network traffic for the selected EC2 instance. The following command example returns the average outgoing network traffic received by an EC2 instance identified by the ID i-07a371cacb4f19acd, usage data captured during a 7 days period (set by the --start-time and --end-time parameters), using 1 hour period as the granularity of the returned datapoints (set by the --period parameter):

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name NetworkOut
	--start-time 2016-10-04T13:16:58
	--end-time 2016-10-11T13:16:58
	--period 3600
	--namespace AWS/EC2
	--statistics Average
	--dimensions Name=InstanceId,Value=i-07a371cacb4f19acd

08 The command output should return the instance network traffic data requested:

{
    "Datapoints": [
        {
            "Timestamp": "2016-10-04T13:16:58Z",
            "Average": 148.65,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-04T14:16:58Z",
            "Average": 91.63333333333334,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-04T15:16:58Z",
            "Average": 214.96666666666667,
            "Unit": "Bytes"
        },

        ...

        {
            "Timestamp": "2016-10-11T10:16:58Z",
            "Average": 96.83333333333333,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-11T11:16:58Z",
            "Average": 325.96666666666664,
            "Unit": "Bytes"
        },
        {
            "Timestamp": "2016-10-11T13:12:58Z",
            "Average": 2656.488888888889,
            "Unit": "Bytes"
        }
    ],
    "Label": "NetworkOut"
}

If the average outgoing traffic values returned are less than 5 MB, the selected EC2 instance qualifies as candidate for the idle instance.

09 Run describe-tags command (OSX/Linux/UNIX) to describe the tags for the selected EC2 instance.

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-07a371cacb4f19acd"

10 The command output should return the tags (key-value pairs) applied to the instance. The Role and Owner tags returned and their values (highlighted) can be used to determine the resource role within the application stack and to contact its owner for more information in order to decide whether the EC2 instance can be shutdown/terminated or not:

{
    "Tags": [
        {
            "ResourceType": "instance",
            "ResourceId": "i-07a371cacb4f19acd",
            "Value": "ops@cloudconformity.com",
            "Key": "Owner"
        },
        {
            "ResourceType": "instance",
            "ResourceId": "i-07a371cacb4f19acd",
            "Value": "legacy-webapp-ver1.9",
            "Key": "Name"
        },
        {
            "ResourceType": "instance",
            "ResourceId": "i-07a371cacb4f19acd",
            "Value": "legacy-webapp-test-server",
            "Key": "Role"
        }
    ]
}

If the data returned for the steps no. 3 - 10 satisfy the conditions set by the conformity rule (instance role, instance owner, CPU and Network In + Network Out usage), the selected EC2 instance is considered "idle" and can be stopped or terminated in order to reduce AWS EC2 usage costs.

11 Repeat steps no. 3 - 10 to verify the CPU usage, the Network In/Out traffic and the role for the rest of the EC2 instances provisioned in the current region.

12Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 11 to perform the audit process for other regions.

Remediation / Resolution

Option 1: stop or terminate the idle instances. To shutdown/terminate any AWS EC2 instances that are currently running in idle mode, perform the following commands:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the idle EC2 instance that you want to stop or terminate (see Audit section part I to identify the right resource).

05 Based on the instance attachment to an AWS Auto Scaling Group (ASG), choose one of the following sets of instructions:

  1. To stop/terminate an EC2 instance that is not running within an AWS ASG, click the Actions dropdown button from the dashboard top menu, select Instance State and choose one of the following options:
    • To stop the instance click Stop. In the Stop Instances dialog box, review the instance details then click Yes, Stop to confirm your action. The resource status should change to stopping and then to stopped as the shutdown process progress.
    • To terminate the instance click Terminate. In the Terminate Instances dialog box, review the instance details then click Yes, Terminate to confirm your action. The resource status should change to shutting-down and then to terminated as the removal process progress.
  2. To stop/terminate an EC2 instance that is currently running within an AWS ASG perform the following:
    • If In the navigation panel, under AUTO SCALING, choose Auto Scaling Groups.
    • Select the ASG that holds the idle EC2 instance that you want to stop/terminate.
    • Choose the Instances tab from the dashboard bottom panel and select the right instance.
    • Click on the Actions dropdown button available on the panel then select Detach.
    • In the Detach Instance dialog box, uncheck Add a new instance to the Auto Scaling group to balance the load to decrement the ASG desired capacity then click Detach Instance to confirm the action.
    • Once the idle instance is detached from your ASG you will be able to stop or terminate it without triggering a Scale In event for replacing the instance. Now that the EC2 instance is no longer running within an AWS ASG, follow the instructions outlined at step 5.a. (AWS Console) to stop/terminate the resource.

06 Repeat step no. 4 and 5 to stop/terminate any other idle EC2 instances provisioned within the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Based on the EC2 instance attachment to an AWS Auto Scaling Group, choose one of the following sets of commands:

  1. To stop/terminate an EC2 instance that is not running within an AWS ASG, perform the following:
    • Run stop-instances command (OSX/Linux/UNIX) using the resource ID as identifier to stop the selected idle EC2 instance:
      aws ec2 stop-instances
      	--region us-east-1
      	--instance-ids i-07a371cacb4f19acd
      
    • The command output should return the shutdown request metadata:
      {
          "StoppingInstances": [
              {
                  "InstanceId": "i-07a371cacb4f19acd",
                  "CurrentState": {
                      "Code": 64,
                      "Name": "stopping"
                  },
                  "PreviousState": {
                      "Code": 16,
                      "Name": "running"
                  }
              }
          ]
      }
      
    • Run terminate-instances command (OSX/Linux/UNIX) using the resource ID as identifier to terminate the selected EC2 instance:
      aws ec2 terminate-instances
      	--region us-east-1
      	--instance-ids i-07a371cacb4f19acd
      
    • The command output should return the terminate request metadata:
      {
          "TerminatingInstances": [
              {
                  "InstanceId": "i-07a371cacb4f19acd",
                  "CurrentState": {
                      "Code": 32,
                      "Name": "shutting-down"
                  },
                  "PreviousState": {
                      "Code": 16,
                      "Name": "running"
                  }
              }
          ]
      }
      
  2. To stop/terminate an EC2 instance that is currently running within an AWS ASG perform the following:
    • Run describe-auto-scaling-instances command (OSX/Linux/UNIX) using the resource ID as identifier and custom query filters to describe the name of the AWS ASG that holds the idle instance (see Audit section part II to identify the right idle resource):
      aws autoscaling describe-auto-scaling-instances
      	--region us-east-1
      	--instance-ids i-07a371cacb4f19acd
      	--query 'AutoScalingInstances[*].AutoScalingGroupName'
      
    • The command output should return the Auto Scaling Group name requested:
      [
          "MyWebASG"
      ]
      
    • Now run detach-instances command (OSX/Linux/UNIX) to detach the selected EC2 instance from the AWS ASG returned at the previous step. Add the --should-decrement-desired-capacity parameter to decrement the group desired capacity and stop the selected ASG from scaling in:
      aws autoscaling detach-instances
      	--region us-east-1
      	--instance-ids i-07a371cacb4f19acd
      	--auto-scaling-group-name MyWebASG
      	--should-decrement-desired-capacity
      
    • The command output should return the metadata for the detach-instances request:
      {
        "Activities": [
           {
              "Description": "Detaching EC2 instance: i-07a371cacb4f19acd",
              "AutoScalingGroupName": "MyWebASG",
              "ActivityId": "7a71a54d-d7bd-4375-8ec9-05b6649ced0f",
              "Details": "{\"Subnet ID\":\"subnet-19e7cc6f\",
                           \"Availability Zone\":\"us-east-1a\"}",
              "StartTime": "2016-10-12T09:43:28.336Z",
              "Progress": 50,
              "Cause": "At 2016-10-12T09:43:28Z instance i-07a371 ... ",
              "StatusCode": "InProgress"
           }
         ]
      }
      
    • Once the idle instance is detached from your ASG you will be able to stop or terminate it without triggering a Scale In event for replacing it with the new one. Since the EC2 instance is no longer running within an AWS ASG, follow the instructions outlined at step 1.a. (AWS CLI) to stop/terminate the resource.

02 Repeat step no. 1 to stop/terminate any other idle EC2 instances provisioned within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Option 2: turn off the idle instances at night. To implement a shutdown/startup routine for your expensive (large or xlarge) AWS EC2 instances that are currently available in idle mode to run only during the daytime, perform the following commands:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 On the Roles page, click Create New Role to set up a new IAM role that your new instance can assume, by performing the following actions:

  1. In the Role Name field enter a name for the role. Choose a name that will reflect the purpose of the role (e.g. idle-ec2-instance-manager) and click Next Step.
  2. Choose the AWS Service Roles section and then select the Amazon EC2 option.
  3. On the Attach Policy page, select AmazonEC2FullAccess policy and click the Next Step button to continue.
  4. On the Review page, review the role information (name, ARN, etc) and click Create Role to generate the new IAM role.

05 Now that the required IAM role is ready, the next step is to create a t2.micro (free tier eligible) Linux instance to run the necessary CRON jobs to start and stop automatically your idle EC2 instance(s) (i.e. the shutdown/startup routine). To launch the micro instance, perform the following actions:

  1. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the navigation panel, under INSTANCES section, select Instances.
  3. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  4. On the Choose an Amazon Machine Image (AMI) page, choose Quick Start tab then select the Amazon Linux AMI distribution.
  5. On the Choose an Instance Type page, select the t2.micro instance then click Next: Configure Instance Details button.
  6. On the Configure Instance Details page, select the role created at step no. 4 role from the IAM role dropdown list and configure any other options available on the page based on your environment requirements.
  7. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, leaving the default configuration unchanged.
  8. On the Configure Security Groups, choose Create a new security group and add an SSH inbound rule (port 22) using the Add Rule button.
  9. Click the Review and Launch button, review your instance configuration details then click Launch.
  10. In the Select an existing key pair or create a new key pair dialog box, select Create a new key pair, enter a unique name for your new SSH key in the Key pair name box then click the Download Key Pair button to save the key file on your machine. Once the file is downloaded click Launch Instances to create the instance.
  11. Click View Instances to return to the Instances page.

06 Once the newly created instance is running, use the SSH key downloaded earlier to access the Linux server command line and install the following CRON jobs (replace the highlighted values, representing the IDs of the idle instances, with your own values). The shutdown/startup routine example outlined below will start up the selected instance at 9AM and will shut it down at 8PM, every day:

0 9 * * * /usr/bin/aws ec2 start-instances --instance-ids i-07a371cacb4f19acd
0 20 * * * /usr/bin/aws ec2 stop-instances --instance-ids i-07a371cacb4f19acd

07 Repeat step no. 6 to implement the shutdown/startup routine for other idle EC2 instances provisioned within the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, create a trust policy for the new IAM role. Make a new policy document called ec2-role-trust-policy.json and paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to set up the new IAM role that will be attached to the EC2 instance created to run the necessary shutdown/startup routine for your idle instances:

aws iam create-role
	--role-name idle-ec2-instance-manager
	--assume-role-policy-document file://ec2-role-trust-policy.json

03 The command output should return the new IAM role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "ARADIMVSYYB5CATLQSBTU",
        "CreateDate": "2016-10-12T14:04:37.829Z",
        "RoleName": "idle-ec2-instance-manager",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/idle-ec2-instance-manager"
    }
}

04 Run attach-role-policy command (OSX/Linux/UNIX) to assign the AmazonEC2FullAccess IAM policy to your newly created role. This policy provides full access to your AWS EC2 services and resources. The command does not produce an output:

aws iam attach-role-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
	--role-name idle-ec2-instance-manager

05 Now create a new IAM Instance Profile. An instance profile is basically a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name EC2-LinuxAMI-Server-Profile

06 The command output should return the newly created IAM Instance Profile metadata:

{
    "InstanceProfile": {
        "InstanceProfileId": "AIPAJH7HIPC6KJHJYJCOS",
        "Roles": [],
        "CreateDate": "2016-10-12T15:49:54.600Z",
        "InstanceProfileName": "EC2-LinuxAMI-Server-Profile",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:instance-profile/
                EC2-LinuxAMI-Server-Profile"
    }
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the role created at step no. 2 with the IAM Instance Profile created at step no. 5 (the command does not return an output):

aws iam add-role-to-instance-profile
	--role-name idle-ec2-instance-manager
	--instance-profile-name EC2-LinuxAMI-Server-Profile

08 Now create the Linux EC2 instance dependencies – the 2048-bit RSA key pair and the necessary security group:

  1. Run create-key-pair command (OSX/Linux/UNIX) to set up a new RSA key pair in the selected AWS region:
    aws ec2 create-key-pair
    	--region us-east-1
    	--key-name MyLinuxKeyPair
    
  2. The command output should return the ASCII version of the private key and the key fingerprint. Save the content of your key, listed as the KeyMaterial parameter value, in a .pem file on your machine:
    {
        "KeyMaterial": "-BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY-",
        "KeyName": "MyLinuxKeyPair",
        "KeyFingerprint": "CO:45:92:4a:5a:06:21 ... cc:22:0f:0e:c9:g4:5e"
    }
    
  3. Run create-security-group command (OSX/Linux/UNIX) to set up the required security group for the new instance:
    aws ec2 create-security-group
    	--region us-east-1
    	--group-name MyLinuxSecurityGroup
    	--description "Linux Server SG (Allow IN SSH access)"
    	--vpc-id vpc-2fb56548
    
  4. The command output should return the new security group ID:
    {
        "GroupId": "sg-426b5238"
    }
    
  5. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the necessary SSH inbound rule (port 22) to the security group created at the previous step (no command output is returned):
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-id sg-426b5238
    	--protocol tcp
    	--port 22
    	--cidr 56.31.62.96/32
    

09 Now run run-instances command (OSX/Linux/UNIX) to launch the new t2.micro Linux instance that will run the necessary CRON jobs to start and stop automatically your idle EC2 instance(s):

aws ec2 run-instances
	--region us-east-1
	--iam-instance-profile Name=EC2-LinuxAMI-Server-Profile
	--image-id ami-c481fad3
	--count 1
	--instance-type t2.micro
	--key-name MyLinuxKeyPair
	--security-groups MyLinuxSecurityGroup

10 The command output should return the new EC2 instance configuration metadata:

{
    "OwnerId": "123456789012",
    "ReservationId": "r-0cacc059ed5ba3a61",
    "Groups": [],
    "Instances": [
        {

            "PublicDnsName": "",
            "RootDeviceType": "ebs",
            "State": {
                "Code": 0,
                "Name": "pending"
            },
            "EbsOptimized": false,
            "LaunchTime": "2016-10-12T11:44:32.000Z",

            ...

            "Hypervisor": "xen",
            "BlockDeviceMappings": [],
            "Architecture": "x86_64",
            "StateReason": {
                "Message": "pending",
                "Code": "pending"
            },
            "RootDeviceName": "/dev/xvda",
            "VirtualizationType": "hvm",
            "AmiLaunchIndex": 0
        }
    ]
}

11 Once the new instance is running, use the SSH key created at step no. 8 to access the Linux server command line and install the following CRON jobs (replace the highlighted values, representing the IDs of the idle instances, with your own values). The shutdown/startup routine example outlined below will start up the selected instance at 9AM and will shut it down at 8PM, every day:

0 9 * * * /usr/bin/aws ec2 start-instances --instance-ids i-07a371cacb4f19acd
0 20 * * * /usr/bin/aws ec2 stop-instances --instance-ids i-07a371cacb4f19acd

12 Repeat step no. 11 to implement the shutdown/startup routine for other idle EC2 instances provisioned within the current region.

13 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Option 3: stop or terminate automatically the idle instances using AWS CloudWatch alarms. More details about this method can be found on the AWS documentation page.

Note: These CloudWatch alarms can use only the CPU usage (CPUUtilization metric) as input data, therefore the method does not satisfy the conditions set by this conformity rule.

Option 4: disable the rule check. If the selected idle EC2 instance is needed (its role within your application stack/environment is important), you should turn off the conformity rule check for the instance from the Cloud Conformity console.

References

Publication date Oct 13, 2016