acquires Cloud Conformity
Open menu

Enable AWS EC2 Hibernation

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability
Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-066

Enable hibernation as an additional stop behavior for your EC2 instances backed by Amazon EBS in order to reduce the time it takes for these instances to return to service at restart. This feature can be useful for certain application workloads, as hibernation stops the EC2 instance and saves the contents of the instance's RAM memory to the root volume. Hibernation feature is only available for Amazon EC2 On-Demand and Reserved Instances.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Your applications can take tens of minutes to preload or warm up when relying on caches and other RAM memory-centric components, and this service delay can force you to over-provision in case you need incremental compute capacity very quickly. With EC2 hibernation enabled, you can maintain your Amazon EC2 instances in a "pre-warmed" state so these can get to a productive state faster.

Note: Hibernation is currently supported by EC2 instances running Amazon Linux AMI version 1, that use the following instance types: M3, M4, M5, C3, C4, C5, R3, R4 and R5. Also, to make use of Hibernation feature, the EBS root volume attached to the instance must be encrypted to ensure protection of sensitive data in memory as this gets copied to the root volume.

Audit

To determine if Hibernation feature is enabled for your EBS-backed EC2 instances, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES, click Instances.

04 Select the AWS EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the left column, check the Stop - Hibernation behavior attribute value. If the verified value (status) is set to Disabled, the Hibernation feature is not enabled for the selected Amazon EC2 EBS-backed instance.

07 Repeat steps no. 4 – 6 to check the Hibernation feature status for other Amazon EC2 instances launched in the current region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 instances currently available in the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0aabbccdd12341234  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the instance that you want to examine as identifier and custom filtering to determine whether the selected EC2 instance is enabled for hibernation:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0aabbccdd12341234
	--query "Reservations[*].Instances[*].HibernationOptions.Configured | []"

04 The command output should return the Hibernation feature status (true for enabled, false for disabled):

[
    false
]

If the command output returns false, the selected Amazon EC2 EBS-backed instance is not enabled for hibernation.

05 Repeat step no. 3 and 4 to verify the Hibernation feature status for other Amazon EC2 instances launched in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

Amazon EC2 does not currently support enabling hibernation on an existing instance (running or stopped). To hibernate your instance, make sure that prerequisites are met. To enable the feature, you have to re-launch the EC2 instance and configure hibernation at launch. To re-create the necessary AWS EC2 instance with hibernation enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES, click Instances.

04 Select the EC2 instance that you want to re-launch (see Audit section part I to identify the right EC2 resource).

05 Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.

06 Inside Create Image dialog box, provide the following information:

  1. In the Image Name box, enter a name for the new AMI.
  2. In the Image description box, provide a description that reflects the usage of the EC2 instance selected.
  3. Leave No reboot option unchecked so that AWS can guarantee the file system integrity for the new AMI.
  4. Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI build process may take few minutes. Once the process is complete, the image status should change from pending to available.

07 Once the AMI is ready, use it to re-launch the selected Amazon EC2 instance with Hibernation feature enabled. To launch the instance, perform the following:

  1. Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
  2. On Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 6.
  3. On Choose an Instance Type page, select the same instance type used by the source instance, then click Next: Configure Instance Details button.
  4. On Configure Instance Details page, select Enable hibernation as an additional stop behavior checkbox next to Stop - Hibernate behavior, and configure any other instance settings available on the page based on your requirements. Click Next: Add Storage without changing any configuration settings, then click Next: Add Tags to set up instance tags.
  5. On Add Tags page, create any required tag sets, then click Next: Configure Security Groups button.
  6. On Configure Security Groups, choose Select an existing security group and select the security group attached to the source EC2 instance (i.e. the one with hibernation disabled). Click the Review and Launch button, review your new EC2 instance configuration details and click Launch.
  7. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
  8. Click View Instances to return to the Instances page.

08 Once you have verified the new Amazon EC2 instance, replace the source instance with the new EC2 instance within your cloud application environment.

09 To make use of Hibernation feature, choose the newly created instance, click the Actions dropdown button, select Instance State and click Stop – Hibernate. Within Stop – Hibernate Instances dialog box, click Yes, Stop – Hibernate to confirm the action.

10 (Optional) Terminate the source instance in order to stop incurring charges for the compute resource. To shut down the instance, perform the following actions:

  1. In the navigation panel, under INSTANCES, select INSTANCES.
  2. Select the AWS EC2 instance that you want to terminate.
  3. Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
  4. In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

11 Repeat steps no. 4 – 10 to enable Hibernation feature for other Amazon EC2 instances provisioned in the current region.

12 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 Run create-image command (OSX/Linux/UNIX) to create an image from the source EC2 instance (see Audit section part II to identify the right resource). The source instance is the one with Hibernation feature disabled. Include --no-reboot command parameter to guarantee the file system integrity for your new AWS AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-0aabbccdd12341234
	--name "AMI for source EC2 instance (without hibernation enabled)"
	--description "Application Stack Amazon Machine Image"
	--no-reboot

02 The command output should return the ID of the new AWS AMI:

{
    "ImageId": "ami-0abcdabcd12341234"
}

03 Execute run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the image created at the previous steps. The following command example creates an EC2 instance with Hibernation feature enabled, using an Amazon Machine Image (AMI) with the ID ami-abcd1234. Set --hibernation-options parameter to Configured=true to enable the feature during the launch process:

aws ec2 run-instances
	--region us-east-1
	--image-id ami-0abcdabcd12341234
	--count 1
	--instance-type c4.large
	--key-name ssh-secure-key
	--security-groups web-app-sg
	--hibernation-options Configured=true

04 The command output should return the new EC2 instance configuration metadata:

{
    "Instances": [
        {
            "PublicDnsName": "",
            "EbsOptimized": false,
            "LaunchTime": "2019-02-10T12:01:42.000Z",
            "PrivateIpAddress": "172.11.10.80",
            "ProductCodes": [],
            "VpcId": "vpc-abcdabcd",
            "CpuOptions": {
                "CoreCount": 1,
                "ThreadsPerCore": 2
            },
            "StateTransitionReason": "",

            ...

            "InstanceId": "i-0abcd1234abcd1234",
            "ImageId": "ami-01234123412341234",
            "KeyName": "ssh-secure-key",
            "Hypervisor": "xen",
            "Architecture": "x86_64",
            "RootDeviceType": "ebs",
            "RootDeviceName": "/dev/xvda",
            "VirtualizationType": "hvm",
            "HibernationOptions": {
                "Configured": true
            }
        }
    ],
    "ReservationId": "r-0aabbccdd12341234",
    "Groups": [],
    "OwnerId": "123456789012"
}

05 After you have verified the new Amazon EC2 instance, replace the source instance with the new EC2 instance within your application environment.

06 To make use of hibernation, run stop-instances command (OSX/Linux/UNIX) using the ID of the newly created instance as identifier to get the specified Amazon EC2 instance into the hibernation state:

aws ec2 stop-instances
	--region us-east-1
	--instance-ids i-0abcd1234abcd1234
	--hibernate

07 The command output should return the command request metadata:

{
    "StoppingInstances": [
        {
            "InstanceId": "i-0abcd1234abcd1234",
            "CurrentState": {
                "Code": 64,
                "Name": "stopping"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

08 (Optional) You can safely terminate the source instance in order to stop incurring charges for it. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-0aabbccdd12341234

09 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-0aabbccdd12341234",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

10 Repeat steps no. 1 – 9 to enable Hibernation feature for other Amazon EC2 instances provisioned in the selected region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 for other regions.

References

Publication date Feb 13, 2019

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to