Logo of Trend Micro

EC2 Instance Too Old

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-022

Identify and re-launch any running AWS EC2 instances older than 180 days in order to ensure their reliability. An EC2 instance is not supposed to run indefinitely in the cloud and having too old instances within your AWS your account could increase the risk of potential issues.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Reliability

Stopping and relaunching your old EC2 instances will reallocate them to different and possibly more reliable underlying hardware (host machine).

Audit

To determine if you have any old (> 180 days) running EC2 instances available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine. The Instance State for the selected EC2 instance must be 'running'.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, check the Launch time parameter value:

In the right column, check the Launch time parameter value

to determine the instance active age. If the selected EC2 instance active age is greater than 180 days, the instance is considered old and requires a restart.

07 Repeat steps no. 4 – 6 to verify the launch date for other instances available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with appropriate filtering to list the IDs of the running EC2 instances currently available in the selected region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--filters "Name=instance-state-code,Values=16"
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0c41af2ddee0308d6  |
|  i-033801b9c55f55f5d  |
|  i-0b3cdfa00d01f7d0c  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using each instance ID returned at the previous step and custom filtering to expose the launch date for the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0c41af2ddee0308d6
	--query 'Reservations[*].Instances[*].LaunchTime'

04The command output should return an array that contains the instance launch date in human readable format: 

[
    [
        "2015-06-03T08:44:46.000Z"
    ]
]

If the selected instance was launched more than 180 days ago, it is considered old and must be restarted.

05 Repeat steps no. 3 and 4 to verify the launch date for other instances available in the current region.

06 Repeat steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

To safely restart the old instances running inside your AWS account, perform the following:

Note: This guide assumes that your old EC2 instances are associated with Elastic IPs. If your old instances do not have Elastic IPs attached, you will have to update their public IP reference(s) in your application or within the DNS zone file after you restart the instances, as these receive new public IPs.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the running EC2 instance that you want to restart.

05 Click on the Actions dropdown button from the dashboard top menu, select Instance State and click Stop. (!) IMPORTANT: This step will incur downtime for the application(s) running on the selected instance. If the instance is currently used in production, schedule this process during your next maintenance window.

06 In the Stop Instances dialog box, review the details and click Yes, Stop to confirm the action. The instance status will change from running to stopping to stopped.

07 Click again on the Actions dropdown button, select Instance State and click Start to restart the instance.

08 Inside the Start Instances dialog box, review the details and click Yes, Start to confirm the action. The instance status will change from stopped to pending to running.

09 Repeat steps no. 4 – 8 to restart any other old instances available in the current region.

10 Change the AWS region from the navigation bar and repeat this process for the other regions.

Using AWS CLI

01 Run stop-instances command (OSX/Linux/UNIX) using the instance ID as identifier (see Audit section to get the old instance ID) to stop it. (!) IMPORTANT: This step will incur downtime for the application(s) running on the selected instance. If the instance is currently used in production, schedule this process during your next maintenance window. The following command example stops an EC2 instance with the ID i-0c41af2ddee0308d6 within the US East region: 

aws ec2 stop-instances
	--region us-east-1
	--instance-ids i-0c41af2ddee0308d6

02 The command output should return the instance current state metadata (highlighted) after the request: 

{
    "StoppingInstances": [
        {
            "InstanceId": "i-0c41af2ddee0308d6",
            "CurrentState": {
                "Code": 64,
                "Name": "stopping"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

03 Run start-instances command (OSX/Linux/UNIX) using the stopped instance ID as identifier to restart it. The following command example restarts an EC2 instance with the ID i-0c41af2ddee0308d6 within the US East region: 

aws ec2 start-instances
	--region us-east-1
	--instance-ids i-0c41af2ddee0308d6

04 The command output should return the EC2 instance current state metadata (highlighted) after the request: 

{
    "StartingInstances": [
        {
            "InstanceId": "i-0c41af2ddee0308d6",
            "CurrentState": {
                "Code": 0,
                "Name": "pending"
            },
            "PreviousState": {
                "Code": 80,
                "Name": "stopped"
            }
        }
    ]
}

05 Repeat steps no. 1 – 4 to restart any other old instances available in the current region.

06 Change the AWS region to repeat the entire process for the other regions.

References

Publication date Jun 3, 2016

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

EC2 Instance Too Old

Risk level: Low