Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused EBS Volumes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EBS-003

Identify unused (unattached) Amazon Elastic Block Store (EBS) volumes available within your AWS cloud account and delete these volumes in order to lower the cost of your AWS bill and reduce the risk of confidential and sensitive data leaks.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation
Security
Sustainability

Any Amazon EBS volume provisioned in your AWS cloud account adds charges to your monthly bill, regardless of whether it is in use. If you have Amazon EBS volumes that are not attached to EC2 instances and their data is no longer needed, consider deleting these volumes. Removing unattached/orphaned Amazon EBS volumes from your AWS account will help you to avoid unexpected charges on your AWS bill and halt access to any sensitive data available on these volumes.

Note: Backup your data. Once an EBS volume is deleted, the data will be lost and the volume can't be attached to an instance. Because EBS snapshots are much more cost-effective than EBS volumes, it is highly recommended to take snapshots of your unused volumes before deletion.

Audit

To determine if there are any unattached (unused) Amazon EBS volumes available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Amazon EBS volume that you want to examine.

05 Choose the Description tab from the console bottom panel and check the State attribute value. If the State attribute value is set to available, the selected Amazon EBS volume is not attached to an EC2 instance, therefore the volume is considered unused and can be removed from your AWS account.

06 Repeat steps no. 4 and 5 for each Amazon EBS volume available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EBS volume provisioned in the selected AWS cloud region: 

aws ec2 describe-volumes
  --region us-east-1
  --query 'Volumes[*].VolumeId'

02 The command output should return the requested volume ID(s): 

[
    "vol-0abcd1234abcd1234",
    "vol-01234abcd1234abcd"
]

03 Run describe-volumes command (OSX/Linux/UNIX) using the ID of the Amazon EBS volume that you want to examine as the identifier parameter and custom query filters to describe the current state of the selected EBS volume: 

aws ec2 describe-volumes
  --region us-east-1
  --volume-ids vol-0abcd1234abcd1234
  --query 'Volumes[*].State'

04 The command output should return the state of the specified EBS volume: 

[
    "available"
]

If the describe-volumes command output returns "available", as shown in the example above, the selected Amazon EBS volume is not attached to an EC2 instance, therefore the volume is considered unused and can be removed from your AWS account.

05 Repeat steps no. 3 and 4 for each Amazon EBS volume available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To remove unused (unattached) Amazon Elastic Block Store (EBS) volumes from your AWS cloud account, you need to perform the following actions:

Note: For IaC resolution steps, removing unattached instances is not supported by CloudFormation.

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_ebs_snapshot" "project5-volume-snapshot" {
  volume_id = "vol-0abcd1234abcd1234"
}

02 Terraform commands: 

terraform destroy -target aws_ebs_volume.cc-project5-volume

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the unused Amazon EBS volume that you want to remove.

05 Choose the Actions dropdown button from the console top menu and select Create Snapshot.

06 On the Create Snapshot setup page, provide a short description of the volume in the Description box, then choose Create Snapshot to create a final snapshot of your volume. Choose Close to return to the Amazon EC2 console.

07 Select the unused Amazon EBS volume that you want to delete.

08 Choose the Actions dropdown button from the console top menu and select Delete Volume.

09 Inside the Delete Volume confirmation box, choose Yes, Delete to remove the selected volume from your AWS account.

10 Repeat steps no. 4 – 9 for each unused volume that you want to delete, available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 Run create-snapshot command (OSX/Linux/UNIX) to create a final snapshot for the unused Amazon EBS volume that you want to delete: 

aws ec2 create-snapshot
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

02 The output should return the create-snapshot command request metadata: 

{
    "Description": "",
    "Tags": [],
    "Encrypted": true,
    "VolumeId": "vol-0abcd1234abcd1234",
    "State": "pending",
    "VolumeSize": 150,
    "StartTime": "2021-06-20T11:37:31.000Z",
    "Progress": "",
    "OwnerId": "123456789012",
    "SnapshotId": "snap-0abcd1234abcd1234"
}

03 Once the final snapshot is created, run delete-volume command (OSX/Linux/UNIX) to remove the unused (unattached) Amazon EBS volume from your AWS cloud account (if successful, the command request should not produce an output): 

aws ec2 delete-volume
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

04 Repeat steps no. 1 – 3 for each unused volume that you want to delete, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 5, 2016

Related EBS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused EBS Volumes

Risk Level: Medium