Logo of Trend Micro

Unused EBS Volumes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EBS-003

Identify any unattached (unused) Elastic Block Store (EBS) volumes available in your AWS account and remove them in order to lower the cost of your monthly AWS bill and reduce the risk of confidential/sensitive data leaving your premise.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation
Security

Any Elastic Block Store volume created in your AWS account is adding charges to your monthly bill, regardless whether is being used or not. If you have EBS volumes (other than root volumes) that are unattached to an EC2 instance or have very low I/O activity, consider deleting them. Removing unattached/orphaned Elastic Block Store volumes will help you avoid unexpected charges on your AWS bill and halt access to any sensitive data available on these volumes.

Note: Backup your data - once a volume is deleted, the data will be lost and the volume cannot be attached to an instance. Since EBS snapshots are much more cost-effective because are stored as objects using AWS Simple Storage Service (S3) service, it is recommended to create volume snapshots before deleting them.

Audit

To determine if there are any unattached and unused EBS volumes, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 To identify any unattached EBS volumes, check their status under State column:

check their status under State column

If the status is in-use, the volume is currently attached and cannot be deleted. If the status is available, the volume is not attached to an EC2 instance and can be safely deleted.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) via AWS CLI to determine if you have any unattached EBS volumes: 

aws ec2 describe-volumes
	--filters Name=status,Values=available

02 The command output should return a JSON object ( https://en.wikipedia.org/wiki/JSON ) for each existing unattached volume: 

{

    "Volumes": [

        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [],
            "Encrypted": true,
            "VolumeType": "gp2",
            "VolumeId": "vol-e323363d",
            "State": "available",
            "Iops": 90,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key
            /d6c03026-b0bd-451e-a864-a68355f4f035",
            "SnapshotId": "",
            "CreateTime": "2016-04-05T06:46:09.653Z",
            "Size": 30
        }

    ]
}

Remediation / Resolution

To remove any unused and unwanted Elastic Block Store volumes from your AWS account, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select your unattached volume.

05 (Optional) Create a snapshot of your volume:

  1. Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot: Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot
  2. In the Create Snapshot dialog box, provide a name and a description for the volume snapshot (optional) and click Create: provide a name and a description for the volume snapshot and click Create

06 Click the Actions dropdown button from the EBS dashboard top menu and select Delete Volume:

Click the Actions dropdown button from the EBS dashboard top menu and select Delete Volume

07 In the Delete Volume dialog box, confirm the action and click Yes, Delete.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) to determine if there are any EBS unused volumes that can be safely removed: 

aws ec2 describe-volumes
	--filters Name=status,Values=available

02 The command output should return a JSON object for each existing unattached volume where the current state is available: 

{
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [],
            "Encrypted": true,
            "VolumeType": "gp2",
            "VolumeId": "vol-e323363d",
            "State": "available",
            "Iops": 90,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/d6c03026-b0bd-451e-a864-a68355f4f035",
            "SnapshotId": "",
            "CreateTime": "2016-04-05T06:46:09.653Z",
            "Size": 30
        }
    ]
}

03 Run delete-volume command (OSX/Linux/UNIX) via AWS CLI to delete any unused EBS volumes, identified in the previous step. The next example command describes an unattached volume with the ID vol-e323363d: 

aws ec2 delete-volume
	--volume-id vol-1234abcd

04 To make sure the selected EBS volume have been successfully removed, run again describe-volumes command (OSX/Linux/UNIX): 

aws ec2 describe-volumes
	--volume-id vol-e323363d

05 The command output should return the InvalidVolume.NotFound error:

A client error (InvalidVolume.NotFound) occurred when calling the DescribeVolumes operation: The volume 'vol-e323363d' does not exist.

References

Publication date Apr 5, 2016

Related EBS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unused EBS Volumes

Risk level: Medium