Logo of Trend Micro

Check for EC2 Instances with Blocklisted Instance Types

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: EC2-071

Ensure that none of the Amazon EC2 instances provisioned in your AWS account have their instance type blocklisted by your organization. Prior to running this rule by the Cloud Conformity engine, the list with the blocklisted EC2 instance types must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity solution

Security

Setting limits for the instance types used within your organization can help you address internal security compliance and prevent unexpected charges on your AWS bill. Furthermore, blocklisting a small set of EC2 instance types, usually extremely large instance types such as r4.16xlarge or c5d.18xlarge, is much more efficient than having to explicitly permit a large number of allowed types.

Audit

To determine if there are any EC2 instances with the instance type blocklisted, available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account, access Check for EC2 Instances with blocklisted Instance Types conformity rule settings and copy the instance type(s) blocklisted by your organization.

02 Sign in to AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, within INSTANCES section, choose Instances.

05 Click inside the attributes filter box located under the EC2 dashboard top menu, select Instance Type, paste the name of the blocklisted instance type copied at step no. 1 (e.g. r4.16xlarge) and press Enter. Repeat this action for each blocklisted instance type. If the filtering process returns one or more EC2 instances as result, the instances available in the current region were launched using blocklisted instance types, therefore you must take action and raise a support case to request AWS to deny creating EC2 instances using forbidden instance types (see Remediation/Resolution section).

06 Change the AWS region from the navigation bar and repeat step no. 5 for all other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity account, access Check for EC2 Instances with blocklisted Instance Types conformity rule settings and copy the instance type(s) blocklisted by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) using the instance type copied at the previous step as filtering parameter and custom query filters, to list the ID(s) of the EC2 instances launched using the specified type, in the selected AWS region. Replace <blocklisted-instance-type> placeholder with the instance type copied at step no. 1. Execute this command for each blocklisted instance type defined within the rule settings: 

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-state-name,Values=running" "Name=instance-type,Values=<blocklisted-instance-type>"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested Amazon EC2 instance ID(s): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-012341234abcdabcd  |
|  i-0abcdabcd12341234  |
+-----------------------+

If describe-instances command output returns one or more EC2 instances IDs as result, there are EC2 instances in the selected region that were launched using blocklisted instance types, therefore you must take action and create a support case to request AWS to deny launching EC2 instances using forbidden instance types.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

Remediation / Resolution

To ensure that no EC2 instances are launched within your AWS account using blocklisted instance types, perform the following actions:

Note: Creating a support case to request the instance type restrictions using the AWS cloud API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Support Center page, perform the following actions:

  1. Select My support cases tab and click Create case button to initiate the request process.
  2. Under Create case, select Account and Billing Support option.
  3. In the Case classification section, select Account from the Type dropdown list and Other Account Issues from the Category dropdown list.
  4. Within Case description section, enter the request subject, e.g. "Deny launching AWS EC2 instances with specific instance types" in the Subject box, and provide a brief description where you list the forbidden instance types and explain why you need to block the provisioning of EC2 instances using those specific instance types in the Description area. This will help the AWS support team to evaluate your case.
  5. In the Contact options section, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support can use to respond to your request. You can either choose to be contacted via email and AWS Support Center or via phone call.
  6. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Apr 15, 2019

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for EC2 Instances with Blocklisted Instance Types

Risk level: High