Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Hibernation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-066

Enable hibernation as an additional stop behavior for your EBS-backed Amazon EC2 instances in order to reduce the time it takes for these instances to return to service at restart. This feature can be useful for certain application workloads, as hibernation stops the EC2 instance and saves the contents of the instance's RAM memory to the root volume. The Hibernation feature is only available for Amazon EC2 On-Demand and Reserved Instances.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability
Sustainability

Your applications can take tens of minutes to preload or warm up when relying on caches and other RAM memory-centric components, and this service delay can force you to over-provision in case you need incremental compute capacity very quickly. With Amazon EC2 hibernation enabled, you can maintain your EC2 instances in a "pre-warmed" state so these can get to a productive state faster.

Note: Hibernation is currently supported by Amazon EC2 instances running Amazon Linux AMI version 1, which use the following instance types: M3, M4, M5, C3, C4, C5, R3, R4 and R5. Also, to make use of the Hibernation feature, the EBS root volume attached to the instance must be encrypted to ensure the protection of sensitive data in memory as this gets copied to the root volume.


Audit

To determine if the Hibernation feature is enabled for your EBS-backed EC2 instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 In the Instance details section, check the Stop-hibernate behavior configuration attribute value. If the attribute value is set to disabled, the Hibernation feature is not enabled for the selected Amazon EC2 instance.

07 Repeat steps no. 4 – 6 for each EBS-backed Amazon EC2 instance provisioned in the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to determine whether the selected EBS-backed EC2 instance is configured for hibernation:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query "Reservations[*].Instances[*].HibernationOptions.Configured | []"

04 The command output should return the Hibernation feature status (true for enabled, false for disabled):

[
    false
]

If the describe-instances command output returns false, as shown in the example above, the Hibernation feature is not enabled for the selected Amazon EC2 instance.

05 Repeat step no. 3 and 4 for each EBS-backed Amazon EC2 instance launched in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

You can't enable hibernation on an existing Amazon EC2 instance (running or stopped instance). To hibernate your EC2 instance, make sure that prerequisites are met. To enable the feature, you must relaunch the required EC2 instance and configure hibernation at launch. To re-create your Amazon EC2 instance with the Hibernation feature, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Enable Hibernation for EC2 Instances",
    "Parameters":{
        "InstanceKeyName":{
            "Type":"AWS::EC2::KeyPair::KeyName",
            "Description":"The SSH key used to access the instance."
        },
        "InstanceSecurityGroup":{
            "Type":"AWS::EC2::SecurityGroup::Id",
            "Description":"The ID of the security group to use."
        }
    },
    "Resources":{
        "NewEC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "ImageId":"ami-0abcd1234abcd1234",
            "InstanceType":"t3.micro",
            "KeyName":{
                "Ref":"InstanceKeyName"
            },
            "SubnetId":"subnet-abcd1234",
            "SecurityGroupIds":[
                {
                    "Ref":"InstanceSecurityGroup"
                }
            ],
            "BlockDeviceMappings":[
                {
                    "DeviceName":"/dev/xvda",
                    "Ebs":{
                        "VolumeSize":"50",
                        "VolumeType":"gp2"
                    }
                }
            ],
            "HibernationOptions" : {
                "Configured" : true
            }
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Enable Hibernation for EC2 Instances
    Parameters:
        InstanceKeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: The SSH key used to access the instance.
        InstanceSecurityGroup:
        Type: AWS::EC2::SecurityGroup::Id
        Description: The ID of the security group to use.
    Resources:
        NewEC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName: !Ref 'InstanceKeyName'
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - !Ref 'InstanceSecurityGroup'
            BlockDeviceMappings:
            - DeviceName: /dev/xvda
                Ebs:
                VolumeSize: '50'
                VolumeType: gp2
            HibernationOptions:
            Configured: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
    aws = {
        source  = "hashicorp/aws"
        version = "~> 3.27"
    }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "new-ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

    ebs_block_device {
    device_name = "/dev/xvda"
    volume_size = 50
    volume_type = "gp2"
    }

    lifecycle {
    ignore_changes = [ami]
    }

    # Enable Hibernation
    hibernation = true

}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to re-create (see the Audit section part I section to identify the right resource).

05 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.

06 On the Create image setup page, provide the following information:

  1. In the Image name box, enter a unique name for the new AMI.
  2. (Optional) In the Image description box, provide a short description that reflects the usage of the selected EBS-backed instance.
  3. Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
  4. (Optional) For Tags, chooseTag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
  5. Choose Create image to create your new AMI.

07 Once the new image is ready, use it to relaunch your Amazon EC2 instance with the Hibernation feature. On the Instances listing page, choose Launch instances and perform the following operations:

  1. For Step 1: Choose an Amazon Machine Image (AMI), choose My AMIs tab, and select the Amazon Machine Image (AMI) created at step no. 6.
  2. For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source instance). Choose Next: Configure Instance Details to continue the setup process.
  3. For Configure Instance Details, perform the following actions:
    • Select Enable hibernation as an additional stop behavior checkbox available next to Stop - Hibernate behavior to enable the Hibernation feature for the new Amazon EC2 instance.
    • Configure the network, identity management, behavior, and metadata settings. The new instance configuration must match the source instance configuration. Choose Next: Add Storage to continue the setup process.
  4. For Step 4: Add Storage, configure the storage device settings. Make sure that the root volume is large enough to store the RAM contents and accommodate your expected usage. To use hibernation, the root volume must be an encrypted EBS volume. Choose Next: Add Tags to set up the instance tags.
  5. For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new EC2 instance. You can track compute cost and other criteria by tagging your instance. Choose Configure Security Group to continue the setup process.
  6. For Step 6: Configure Security Group, choose Select an existing security group and select the security group(s) associated with the source Amazon EC2 instance. Choose Review and Launch to continue.
  7. For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
  8. In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new EBS-backed Amazon EC2 instance.
  9. Choose View Instances to return to the Instances page.

08 To make use of the Hibernation feature, select the newly created instance, click on the Instance state dropdown menu, and choose Hibernate Instance. In the Hibernate instance? confirmation box, click Hibernate to**confirm the action.

09 (Optional) Terminate the source instance in order to stop incurring charges for the compute resource. To shut down the instance, perform the following operations:

  1. Select the Amazon EC2 instance that you want to terminate.
  2. Choose Instance state and select Terminate instance.
  3. In the Terminate instance? confirmation box, review the instance details, then choose Terminate to shut down the selected EC2 instance.

10 Repeat steps no. 4 – 9 to enable the Hibernation feature for other Amazon EC2 instances provisioned in the current AWS region.

11 Change the AWS region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information available for the Amazon EC2 instance that you want to re-create (see the Audit section part II section to identify the right resource):

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[]'

02 The command output should return an array with the requested configuration information:

[
    {
        "AmiLaunchIndex": 0,
        "ImageId": "ami-0abcd1234abcd1234",
        "InstanceId": "i-01234abcd1234abcd",
        "InstanceType": "t2.micro",
        "KeyName": "conformity",
        "LaunchTime": "2021-03-10T10:00:00+00:00",
        "Monitoring": {
            "State": "disabled"
        },
        "Placement": {
            "AvailabilityZone": "us-east-1a",
            "GroupName": "",
            "Tenancy": "default"
        },
        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
        "PrivateIpAddress": "10.0.0.15",
        "ProductCodes": [],
        "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
        "PublicIpAddress": "10.0.1.20",
        "State": {
            "Code": 16,
            "Name": "running"
        },
        "StateTransitionReason": "",
        "SubnetId": "subnet-abcd1234",
        "VpcId": "vpc-1234abcd",
        "Architecture": "x86_64",
        "BlockDeviceMappings": [
            {
                "DeviceName": "/dev/xvda",
                "Ebs": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "DeleteOnTermination": true,
                    "Status": "attached",
                    "VolumeId": "vol-0abcd1234abcd1234"
                }
            }
        ],
        "ClientToken": "",
        "EbsOptimized": false,
        "EnaSupport": true,
        "Hypervisor": "xen",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
            "Id": "ABCDABCDABCDABCDABCDA"
        },
        "NetworkInterfaces": [
            {
                "Association": {
                    "IpOwnerId": "amazon",
                    "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                    "PublicIp": "10.0.1.20"
                },
                "Attachment": {
                    "AttachTime": "2021-03-10T10:00:00+00:00",
                    "AttachmentId": "eni-attach-0abcd1234abcd1234",
                    "DeleteOnTermination": true,
                    "DeviceIndex": 0,
                    "Status": "attached",
                    "NetworkCardIndex": 0
                },
                "Description": "Primary network interface",
                "Groups": [
                    {
                        "GroupName": "cc-prod-security-group",
                        "GroupId": "sg-01234abcd1234abcd"
                    }
                ],
                "Ipv6Addresses": [],
                "MacAddress": "0e:53:19:7b:62:6b",
                "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                "OwnerId": "123456789012",
                "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                "PrivateIpAddress": "10.0.0.15",
                "PrivateIpAddresses": [
                    {
                        "Association": {
                            "IpOwnerId": "amazon",
                            "PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
                            "PublicIp": "10.0.1.20"
                        },
                        "Primary": true,
                        "PrivateDnsName": "ip-10-0-0-15.ec2.internal",
                        "PrivateIpAddress": "10.0.0.15"
                    }
                ],
                "SourceDestCheck": true,
                "Status": "in-use",
                "SubnetId": "subnet-abcd1234",
                "VpcId": "vpc-1234abcd",
                "InterfaceType": "interface"
            }
        ],
        "RootDeviceName": "/dev/xvda",
        "RootDeviceType": "ebs",
        "SecurityGroups": [
            {
                "GroupName": "cc-prod-security-group",
                "GroupId": "sg-01234abcd1234abcd"
            }
        ],
        "SourceDestCheck": true,
        "VirtualizationType": "hvm",
        "CpuOptions": {
            "CoreCount": 2,
            "ThreadsPerCore": 4
        },
        "CapacityReservationSpecification": {
            "CapacityReservationPreference": "open"
        },
        "HibernationOptions": {
            "Configured": false
        },
        "MetadataOptions": {
            "State": "applied",
            "HttpTokens": "optional",
            "HttpPutResponseHopLimit": 1,
            "HttpEndpoint": "enabled"
        },
        "EnclaveOptions": {
            "Enabled": false
        }
    }
]

03 Run create-image command (OSX/Linux/UNIX) to create an image from the source Amazon EC2 instance described at the previous step. Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --name "Project5 EC2 Instance AMI"
  --description "Project5 Production Image"
  --no-reboot

04 The command output should return the ID of the new Amazon Machine Image (AMI):

{
    "ImageId": "ami-0abcdabcdabcdabcd"
}

05 Execute run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created at the previous steps. Use the information returned at step no. 2 for the instance configuration parameters. Set the --hibernation-options parameter to Configured=true to enable the Hibernation feature during the launch process:

aws ec2 run-instances
  --region us-east-1
  --image-id ami-0abcdabcdabcdabcd
  --count 1
  --instance-type t2.micro
  --key-name conformity
  --security-group-ids sg-01234abcd1234abcd
  --iam-instance-profile Name="ec2-manager-role"
  --hibernation-options Configured=true

06 The command output should return the configuration metadata for the newly created EC2 instance:

{
    "Groups": [],
    "Instances": [
        {
            "AmiLaunchIndex": 0,
            "ImageId": "ami-0abcdabcdabcdabcd",
            "InstanceId": "i-01234123412341234",
            "InstanceType": "t2.micro",
            "KeyName": "conformity.aws",
            "LaunchTime": "2021-03-22T17:29:43+00:00",
            "Monitoring": {
                "State": "disabled"
            },
            "Placement": {
                "AvailabilityZone": "us-east-1e",
                "GroupName": "",
                "Tenancy": "default"
            },
            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
            "PrivateIpAddress": "10.0.0.5",
            "ProductCodes": [],
            "PublicDnsName": "",
            "State": {
                "Code": 0,
                "Name": "pending"
            },
            "StateTransitionReason": "",
            "SubnetId": "subnet-abcdabcd",
            "VpcId": "vpc-1234abcd",
            "Architecture": "x86_64",
            "BlockDeviceMappings": [],
            "EbsOptimized": false,
            "EnaSupport": true,
            "Hypervisor": "xen",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
                "Id": "ABCDABCDABCDABCDABCD"
            },
            "NetworkInterfaces": [
                {
                    "Attachment": {
                        "AttachTime": "2021-03-22T17:29:43+00:00",
                        "AttachmentId": "eni-attach-0abcd1234abcd1234",
                        "DeleteOnTermination": true,
                        "DeviceIndex": 0,
                        "Status": "attaching",
                        "NetworkCardIndex": 0
                    },
                    "Description": "",
                    "Groups": [
                        {
                            "GroupName": "cc-prod-security-group",
                            "GroupId": "sg-01234abcd1234abcd"
                        }
                    ],
                    "Ipv6Addresses": [],
                    "MacAddress": "06:00:c7:12:51:99",
                    "NetworkInterfaceId": "eni-0abcd1234abcd1234",
                    "OwnerId": "123456789012",
                    "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                    "PrivateIpAddress": "10.0.0.5",
                    "PrivateIpAddresses": [
                        {
                            "Primary": true,
                            "PrivateDnsName": "ip-10-0-0-5.ec2.internal",
                            "PrivateIpAddress": "10.0.0.5"
                        }
                    ],
                    "SourceDestCheck": true,
                    "Status": "in-use",
                    "SubnetId": "subnet-abcdabcd",
                    "VpcId": "vpc-1234abcd",
                    "InterfaceType": "interface"
                }
            ],
            "RootDeviceName": "/dev/xvda",
            "RootDeviceType": "ebs",
            "SecurityGroups": [
                {
                    "GroupName": "cc-prod-security-group",
                    "GroupId": "sg-01234abcd1234abcd"
                }
            ],
            "SourceDestCheck": true,
            "StateReason": {
                "Code": "pending",
                "Message": "pending"
            },
            "VirtualizationType": "hvm",
        "HibernationOptions": {
                "Configured": true
            },
            "CpuOptions": {
                "CoreCount": 1,
                "ThreadsPerCore": 1
            },
            "CapacityReservationSpecification": {
                "CapacityReservationPreference": "open"
            },
            "MetadataOptions": {
                "State": "pending",
                "HttpTokens": "optional",
                "HttpPutResponseHopLimit": 1,
                "HttpEndpoint": "enabled"
            },
            "EnclaveOptions": {
                "Enabled": false
            }
        }
    ],
    "OwnerId": "123456789012",
    "ReservationId": "r-0abcd1234abcd1234"
}

07 To make use of hibernation, run stop-instances command (OSX/Linux/UNIX) using the ID of the newly created instance as the identifier parameter to get the specified Amazon EC2 instance into the hibernation state:

aws ec2 stop-instances
  --region us-east-1
  --instance-ids i-01234123412341234
  --hibernate

08 The output should return the stop-instances command request metadata:

{
    "StoppingInstances": [
        {
            "InstanceId": "i-01234123412341234",
            "CurrentState": {
                "Code": 64,
                "Name": "stopping"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

09 (Optional) You can terminate the source Amazon EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) using the source instance ID as the identifier parameter:

aws ec2 terminate-instances
  --instance-ids i-01234abcd1234abcd

10 The output should return the terminate-instances command request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-01234abcd1234abcd",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

11 Repeat steps no. 1 – 10 to enable the Hibernation feature for other Amazon EC2 instances provisioned in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Feb 13, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Hibernation

Risk Level: Low