Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EBS General Purpose SSD

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EBS-007

Ensure that your Amazon EC2 instances are using General Purpose SSD volumes instead of Provisioned IOPS SSD volumes for cost-effective storage that fits a broad range of workloads. Unless you are running mission-critical applications that require more than 10000 IOPS or 160 MiB/s of throughput per EBS volume, it is highly recommended to convert your Provisioned IOPS EC2 instances to General Purpose instances in order to lower the cost of your AWS bill while maintaining the same I/O performance.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation
Sustainability

Using General Purpose (GP) SSD storage instead of Provisioned IOPS (PIOPS) SSD storage for your Amazon EBS instances represents a good strategy for cutting down on AWS costs because for GP SSDs you only pay for the storage compared to PIOPS SSDs where you pay for both storage and IOPS. Converting existing PIOPS-based volumes to GP volumes is possible by configuring larger storage which gives higher baseline performance of IOPS for a lower cost.


Audit

To determine the storage type configured for your Amazon EBS volumes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Amazon EBS volume that you want to examine.

05 Choose the Description tab from the console bottom panel and check the Volume type configuration attribute value. If the Volume type attribute value is set to io1 or io2, the storage type configured for the selected Amazon EBS volume is Provisioned IOPS SSD, therefore the verified EBS volume is not optimized with respect to cost.

06 Repeat steps no. 4 and 5 for each Amazon EBS volume provisioned within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EBS volume provisioned in the selected AWS cloud region:

aws ec2 describe-volumes
  --region us-east-1
  --query 'Volumes[*].VolumeId'

02 The command output should return the requested volume ID(s):

[
    "vol-0abcd1234abcd1234",
    "vol-01234abcd1234abcd",
    "vol-0abcdabcd12341234"
]

03 Run describe-volumes command (OSX/Linux/UNIX) using the ID of the Amazon EBS volume that you want to examine as the identifier parameter and custom query filters to describe the storage type configured for the selected EBS volume:

aws ec2 describe-volumes
  --region us-east-1
  --volume-ids vol-0abcd1234abcd1234
  --query 'Volumes[*].VolumeType'

04 The command output should return the storage type used for the specified EBS volume:

[
    "io1"
]

If the describe-volumes command output returns "io1" or "io2", the storage type configured for the selected Amazon EBS volume is Provisioned IOPS (PIOPS) SSD, therefore the verified EBS volume is not optimized with respect to cost.

05 Repeat steps no. 3 and 4 for each Amazon EBS volume available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To convert your Provisioned IOPS SSD volumes to General Purpose SSD volumes, you have to re-create your volumes with the optimal storage configuration. To convert the required Amazon EBS volumes, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description" : "Create and Attach GP2 EBS Volume",
   "Resources":{
      "GP2EBSVolume" : {
         "Type" : "AWS::EC2::Volume",
         "Properties" : {
            "VolumeType" : "gp2",
            "AvailabilityZone" : "us-east-1a",
            "SnapshotId" : "snap-01234abcd1234abcd"
         }
      },
      "MountPoint" : {
         "Type" : "AWS::EC2::VolumeAttachment",
         "Properties" : {
            "InstanceId" : "i-0abcd1234abcd1234",
            "VolumeId"  : { "Ref" : "GP2EBSVolume" },
            "Device" : "/dev/sdf"
         }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create and Attach GP2 EBS Volume
Resources:
  GP2EBSVolume:
    Type: AWS::EC2::Volume
    Properties:
      VolumeType: gp2
      AvailabilityZone: us-east-1a
      SnapshotId: snap-01234abcd1234abcd
  MountPoint:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: i-0abcd1234abcd1234
      VolumeId:
        Ref: GP2EBSVolume
      Device: "/dev/sdf"

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_ebs_snapshot" "ebs-snapshot" {
  volume_id = "vol-01234abcd1234abcd"
}

resource "aws_ebs_volume" "gp2-ebs-volume" {
  snapshot_id = aws_ebs_snapshot.ebs-snapshot.id
  type = "gp2"
  availability_zone = "us-east-1a"

}

resource "aws_volume_attachment" "gp2-volume-attachment" {
  volume_id   = aws_ebs_volume.gp2-ebs-volume.id
  instance_id = "i-0abcd1234abcd1234"
  device_name = "/dev/sdf"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Provisioned IOPS SSD volume that you want to convert to General Purpose SSD.

05 Choose the Actions dropdown button from the console top menu and select Create Snapshot.

06 On the Create Snapshot setup page, provide a short description in the Description box, then choose Create Snapshot. Choose Close to return to the Amazon EC2 console.

07 In the navigation panel, under Elastic Block Store, choose Snapshots.

08 Select the newly created EBS volume snapshot, choose Actions, and select Create Volume.

09 On the Create Volume setup page, perform the following actions:

  1. For Volume Type, select General Purpose SSD (gp2) or General Purpose SSD (gp3).
  2. For Size (GiB), enter the size of the EBS volume in GiB. For General Purpose SSD (gp2) volume type, increase the storage size of the volume match the IOPS number of the original EBS volume. For General Purpose SSD (gp3) volume type, type the required IOPS number in the IOPS configuration box.
  3. For Availability Zone, choose the Availability Zone (AZ) in which to deploy the new EBS volume.
  4. (Optional) For Encryption, select Encrypt this volume checkbox to enable encryption at rest for the new volume. For Master Key, choose (default) aws/ebs to use the default master key provided by AWS for EBS data encryption, or select your own Customer Master Key (CMK).
  5. (Optional) To tag your new EBS resource, choose Add Tag.
  6. Choose Create Volume to provision your new Amazon EBS volume. Click Close to return to the Amazon EC2 console.

10 (Optional) To replace the Provisioned IOPS SSD volume with the newly created General Purpose SSD volume within your Amazon EC2 instance configuration, perform the following actions:

  1. In the navigation panel, under Elastic Block Store, choose Volumes.
  2. Select the Provisioned IOPS SSD volume that you want to replace.
  3. Choose the Actions dropdown button from the console top menu and select Detach Volume.
  4. Inside the Detach Volume dialog box, choose Yes, Detach.
  5. Select the newly created General Purpose SSD volume.
  6. Choose the Actions button from the console top menu and select Attach Volume.
  7. In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach to attach the new Amazon EBS volume.

11 Repeat steps no. 4 – 10 to convert each Provisioned IOPS SSD volume provisioned within the current AWS region.

12 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 To convert Provisioned IOPS SSD volumes to General Purpose SSD volumes, you must re-create the volumes that you want to convert. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from the specified Provisioned IOPS SSD volume:

aws ec2 create-snapshot
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

02 The output should return the create-snapshot command request metadata:

{
    "Description": "",
    "Tags": [],
    "Encrypted": true,
    "VolumeId": "vol-0abcd1234abcd1234",
    "State": "pending",
    "VolumeSize": 150,
    "StartTime": "2021-06-20T11:37:31.000Z",
    "Progress": "",
    "OwnerId": "123456789012",
    "SnapshotId": "snap-0abcd1234abcd1234"
}

03 Run create-volume command (OSX/Linux/UNIX) to provision a new General Purpose SSD volume from the volume snapshot created at the previous steps. The following command request example creates a General Purpose SSD (gp3) volume with 150 GiB storage size and 3000 IOPS (default):

aws ec2 create-volume
  --region us-east-1
  --volume-type gp3
  --size 150
  --iops 3000
  --availability-zone us-east-1a
  --snapshot-id snap-0abcd1234abcd1234
  --encrypted

04 The command output should return the metadata available for the new General Purpose SSD volume:

{
    "AvailabilityZone": "us-east-1a",
    "MultiAttachEnabled": false,
    "Tags": [],
    "Encrypted": true,
    "VolumeType": "gp3",
    "VolumeId": "vol-0abcdabcdabcdabcd",
    "State": "creating",
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "SnapshotId": "snap-0abcd1234abcd1234",
    "Iops": 3000,
    "CreateTime": "2021-06-28T11:00:00.000Z",
    "Size": 150
}

05 Optional) To replace the Provisioned IOPS SSD volume with the newly created General Purpose SSD volume within your EC2 instance configuration, perform the following actions:

  1. Run detach-volume command (OSX/Linux/UNIX) to detach the Provisioned IOPS SSD volume from the specified EC2 instance:
    aws ec2 detach-volume
      --region us-east-1
      --volume-id vol-0abcd1234abcd1234
    
  2. The output should return the detach-volume command request metadata:
    {
        "AttachTime": "2021-06-28T12:00:19.000Z",
        "InstanceId": "i-01234123412341234",
        "VolumeId": "vol-0abcd1234abcd1234",
        "State": "detaching",
        "Device": "/dev/sdf"
    }
    
  3. To attach the new General Purpose SSD volume to the selected Amazon EC2 instance, run attach-volume command (OSX/Linux/UNIX):
    aws ec2 attach-volume
      --volume-id vol-0abcdabcdabcdabcd
      --instance-id i-01234123412341234
      --device /dev/sdf
    
  4. The output should return the attach-volume command request metadata:
    {
        "AttachTime": "2021-06-28T13:00:19.000Z",
        "InstanceId": "i-01234567890123456",
        "VolumeId": "vol-0abcdabcdabcdabcd",
        "State": "attaching",
        "Device": "/dev/sdf"
    }
    

06 Repeat steps no. 1 – 5 to convert each Provisioned IOPS SSD volume available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 26, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EBS General Purpose SSD

Risk Level: Medium