Open menu
-->

Review AWS EC2 Dedicated Instances

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Cost
optimisation

Ensure that all Amazon EC2 dedicated instances provisioned within your AWS account are regularly reviewed for cost optimization. Dedicated instances are EC2 compute resources which run on single-tenant hardware (i.e. physically isolated at the host level).

This rule resolution is part of the Cloud Conformity Cost Optimisation Package

Since dedicated instances are physically isolated at the host hardware level from instances provisioned in other AWS accounts, these are more expensive than the ones running on shared (default) environment. For example, if you provision a c4.xlarge-type shared EC2 instance within US-East (N. Virginia) region instead of a dedicated c4.xlarge-type instance, you can save roughly $15 per month (as of March 2017).

Audit

To identify the running AWS EC2 dedicated instances available in your AWS account for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 On the EC2 Instances listing page, click inside the attributes filter box located under the dashboard top menu, choose the Tenancy parameter from the dropdown list and select the Dedicated – Run a Dedicated instance option. To search for active dedicated instances only, use the filter box again, choose Instance State then select Running. This filtering method will help you find and review all active EC2 dedicated instances provisioned within the current AWS region. If no instances matching your filter criteria are found, there are no dedicated instances currently running in the selected region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using predefined query filters to list the IDs of all EC2 dedicated instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=tenancy,Values=dedicated" "Name=instance-state-name,Values=running"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 resource IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-04d1a383a116d57ad  |
|  i-04b1691e53b157b38  |
|  i-0a1cdfa00d01f7c05  |
+-----------------------+

03 Run again describe-instances command (OSX/Linux/UNIX) using your instance ID returned at the previous step as identifier to describe the configuration information required to review the selected dedicated EC2 instance:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-04d1a383a116d57ad

04 The command output should return the dedicated instance metadata, required for review purposes:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-0952e3897120734a8",
            "Groups": [],
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2017-02-11T10:40:34.000Z",
                    "PublicIpAddress": "52.90.124.74",
                    "PrivateIpAddress": "172.31.47.31",
                    "ProductCodes": [],
                    "VpcId": "vpc-3b4944f8",
                    "StateTransitionReason": "",
                    "InstanceId": "i-04d1a383a116d57ad",
                    "EnaSupport": true,
                    "ImageId": "ami-0b23c91d",
                    "PrivateDnsName": "ip-172-31-47-31.ec2.internal",
                    "KeyName": "ssh-key",

                    ...

                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "dedicated",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1d"
                    },
                    "Hypervisor": "xen",
                    "BlockDeviceMappings": [
                        {
                            "DeviceName": "/dev/xvda",
                            "Ebs": {
                                "Status": "attached",
                                "DeleteOnTermination": true,
                                "VolumeId": "vol-049df07b014dc5ab7",
                                "AttachTime": "2017-02-11T11:40:34.000Z"
                            }
                        }
                    ],
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

05 Repeat step no. 3 and 4 to verify the configuration information (metadata) for other EC2 dedicated instances available in the current region.

06 Repeat steps no. 1 – 5 to perform the entire audit process for other AWS regions.

Remediation / Resolution

Case A: Migrate your running EC2 dedicated instances to the default (shared) tenancy to reduce your monthly AWS EC2 usage costs. To re-launch your instances using the default tenancy, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 Create an image (AMI) from the existing dedicated EC2 instance. To build the required Amazon Machine Image (AMI), perform the following actions:

  1. In the navigation panel, under INSTANCES section, choose Instances.
  2. Select the dedicated instance that you want to re-launch under a different tenancy model.
  3. Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
  4. Inside Create Image dialog box, provide the following information:
    • Enter a name for the new AMI in the Image Name box.
    • In the Image description box, provide a description that reflects the usage of the EC2 image.
    • Leave No reboot option unchecked so that the AWS can guarantee the file system integrity for the new AMI.
  5. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The image creation may take few minutes. Once the process is complete, the image status should change from pending to available.

04 Once the AMI is ready for use, re-launch the selected EC2 instance with the default (shared) tenancy type. To launch the instance, perform the following actions:

  • In the navigation panel, under INSTANCES section, select Instances.
  • Click Launch Instance button from the EC2 dashboard top menu to initiate the process.
  • On the Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 3.
  • On the Choose an Instance Type page, select the same instance type used by the dedicated resource then click Next: Configure Instance Details button.
  • On the Configure Instance Details page, select Shared – Run a shared hardware instance from the Tenancy dropdown list to deploy your new instance in a logically isolated hardware environment in order to reduce your EC2 service usage fees. Configure the other features and options available on the page based on your running EC2 dedicated instance configuration.
  • Click Next: Add Storage and go through the next pages without changing any configuration options until you reach the Configure Security Group page.
  • On the Configure Security Groups, choose Select an existing security group and select the existing dedicated instance security group. Click the Review and Launch button, review your instance configuration details then click Launch.
  • In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the running dedicated instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  • Click View Instances to return to the Instances page. The new instance will have the same data and configuration as the original EC2 instance, except the tenancy model used – shared.

05 Once you have tested the new EC2 instance provisioned within the shared (default) hardware environment, you can transfer the Elastic IP (EIP) from the dedicated instance to the new instance for reference purposes. If the original instance does not have an AWS EIP attached you will have to update the domain DNS record(s) or any other application references to switch to the new instance IP. To transfer any existing Elastic IP, perform the following:

  1. In the navigation panel, under NETWORK & SECURITY section, select Elastic IPs.
  2. Select the EIP address attached to the dedicated (original) instance, click the Actions dropdown button then select Disassociate Address.
  3. In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
  4. Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
  5. In the Associate Address dialog box, select the new EC2 instance created at step no. 4 from the Instance dropdown list and then click Associate to attach the EIP.

06 Now that the new shared tenant instance is running it is safe to terminate the dedicated one in order to stop incurring charges for it. To shut down the instance, perform the following:

  1. In the navigation panel, under INSTANCES section, select Instances.
  2. Select the EC2 dedicated instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

07 Repeat steps no. 3 – 6 to convert the tenancy type for other EC2 dedicated instances available in the current region.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the selected EC2 dedicated instance configuration information (metadata). The metadata will be useful later when the instance will be recreated within a different hardware environment:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-04d1a383a116d57ad
	--query 'Reservations[*].Instances[*].[KeyName,InstanceType,SecurityGroups]'

02 The command output should return the running EC2 instance metadata requested:

[
    "ssh-key",
    "m3.medium",
    [
        {
            "GroupName": "cc-app-server-sg",
            "GroupId": "sg-b581c5e0"
        }
    ]
]

03 Run create-image command (OSX/Linux/UNIX) to create an image from your existing dedicated instance. Include the –no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-04d1a383a116d57ad
	--name "EC2 Dedicated Instance AMI"
	--description "App Server AMI ver. 1.6 (Dedicated Tenancy)"
	--no-reboot

04 The command output should return the new Amazon Machine Image (AMI) ID:

{
    "ImageId": "ami-e36cd815"
}

05 Run run-instances command (OSX/Linux/UNIX) to launch the new EC2 instance from the image created at the previous step, using the shared (default) tenancy model:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-e36cd815
	--count 1
	--instance-type m3.medium
	--key-name ssh-key
	--security-groups cc-app-server-sg
	--placement Tenancy=default

06 The command output should return the new EC2 instance metadata, including the tenancy type information (highlighted):

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-55e1e38971207b2861",
            "Groups": [],
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "VpcId": "vpc-3b4944f8",
                    "KeyName": "ssh-key",

                    ...


                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1d"
                    },

                    ...

                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

07 Transfer the Elastic IP from the original (dedicated) EC2 instance to the new instance in order to reference the new one. To transfer the Elastic IP, perform the following commands:

  1. Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the dedicated EC2 instance:
    aws ec2 disassociate-address
    	--association-id eipassoc-40efab8d1
    
  2. Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new instance:
    aws ec2 associate-address
    	--instance-id i-0b90156802ec19a45
    	--allocation-id eipalloc-40efab8d1
    

08 Once the new shared tenant EC2 instance has been verified and tested, you should terminate the dedicated one to stop incurring charges for it. To terminate the dedicated instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-04d1a383a116d57ad

09 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-04d1a383a116d57ad",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

10 Repeat steps no. 1 – 9 to change the tenancy type for other EC2 dedicated instances available in the current region.

11 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Case B: Maintain the current tenancy configuration for your EC2 dedicated instances. In this case your EC2 instances are dedicated by design and intentional (e.g. these must comply with your organization regulatory security requirements).

References

Publication date Mar 13, 2017