Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Reserved Instance Purchase Recommendations

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Identify any Amazon EC2 instances that can be upgraded to Reserved Instances (RIs) and follow the Trend Micro Cloud One™ – Conformity recommendations for purchasing RIs in order to receive a significant discount on the hourly charges. Reserved Instances represent a pricing model that enables discounted hourly rates for compute capacity in exchange of reserving a certain amount of compute usage upfront. The cost savings when using Reserved Instances over On-Demand Instances are up to 75% depending on the commitment term (1-year or 3-years) and the payment option used (No Upfront, Partial Upfront, or All Upfront). For example, for a t2.large EC2 instance provisioned in the US-East region (N. Virginia) you can save roughly $24 per month by upgrading it to a Reserved Instance for a period of 1 year with no upfront costs or save $40 per month by reserving it for a period of 3 years with a portion of the cost paid upfront (Partial Upfront).

Cost
optimisation

Reserved Instances (RIs) represent a good strategy to cut down on Amazon EC2 costs but purchasing them without a plan can feel like a risky process. The Conformity purchasing recommendations outlined in this rule will help you optimize your RIs spending and save money by using only what you need.

Note: In order to verify the current status of purchased reserved capacity and provide accurate recommendations, Conformity needs access to the AWS payer account (the account designated to pay the bills) or to AWS individual accounts. The following IAM policy allows the Conformity engine to view all the reserved EC2 instances available in your account(s):


	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": [
					"ec2:DescribeReservedInstances"
				],
				"Resource": "*"
			}
		]
	}

Audit

To verify your current Amazon EC2 compute capacity and determine if there are any candidates for upgrading to Reserved Instances (RIs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 Check the configuration information available for the selected EC2 instance to determine the instance role within the application stack. If the selected Amazon EC2 instance is not a component of an application stack that is about to be decommissioned soon and the instance will run for at least 6 months, the verified Amazon EC2 instance is eligible for the Reserved Instance (RI) plan.

07 Repeat steps no. 4 - 6 for each Amazon EC2 instance available in the selected AWS cloud region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region: 

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the configuration information available for the selected instance: 

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[]'

04 The command output should return an array with the requested configuration information: 

[
	{
		"AmiLaunchIndex": 0,
		"ImageId": "ami-0abcd1234abcd1234",
		"InstanceId": "i-01234abcd1234abcd",
		"InstanceType": "c4.large",
		"KeyName": "conformity",
		"LaunchTime": "2021-03-10T10:00:00+00:00",
		"Monitoring": {
			"State": "disabled"
		},
		"Placement": {
			"AvailabilityZone": "us-east-1a",
			"GroupName": "",
			"Tenancy": "dedicated"
		},
		"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
		"PrivateIpAddress": "10.0.0.15",
		"ProductCodes": [],
		"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
		"PublicIpAddress": "10.0.1.20",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"StateTransitionReason": "",
		"SubnetId": "subnet-abcd1234",
		"VpcId": "vpc-1234abcd",
		"Architecture": "x86_64",
		"BlockDeviceMappings": [
			{
				"DeviceName": "/dev/xvda",
				"Ebs": {
					"AttachTime": "2021-03-10T10:00:00+00:00",
					"DeleteOnTermination": true,
					"Status": "attached",
					"VolumeId": "vol-0abcd1234abcd1234"
				}
			}
		],
		"ClientToken": "",
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"IamInstanceProfile": {
			"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
			"Id": "ABCDABCDABCDABCDABCDA"
		},
		"NetworkInterfaces": [
			{
				"Association": {
					"IpOwnerId": "amazon",
					"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
					"PublicIp": "10.0.1.20"
				},
				"Attachment": {
					"AttachTime": "2021-03-10T10:00:00+00:00",
					"AttachmentId": "eni-attach-0abcd1234abcd1234",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attached",
					"NetworkCardIndex": 0
				},
				"Description": "Primary network interface",
				"Groups": [
					{
						"GroupName": "cc-prod-security-group",
						"GroupId": "sg-01234abcd1234abcd"
					}
				],
				"Ipv6Addresses": [],
				"MacAddress": "0e:53:19:7b:62:6b",
				"NetworkInterfaceId": "eni-0abcd1234abcd1234",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
				"PrivateIpAddress": "10.0.0.15",
				"PrivateIpAddresses": [
					{
						"Association": {
							"IpOwnerId": "amazon",
							"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
							"PublicIp": "10.0.1.20"
						},
						"Primary": true,
						"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
						"PrivateIpAddress": "10.0.0.15"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-abcd1234",
				"VpcId": "vpc-1234abcd",
				"InterfaceType": "interface"
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupName": "cc-prod-security-group",
				"GroupId": "sg-01234abcd1234abcd"
			}
		],
		"SourceDestCheck": true,
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 2,
			"ThreadsPerCore": 4
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"HibernationOptions": {
			"Configured": false
		},
		"MetadataOptions": {
			"State": "applied",
			"HttpTokens": "optional",
			"HttpPutResponseHopLimit": 1,
			"HttpEndpoint": "enabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		}
	}
]

05 Check the instance configuration information returned by the describe-instances command output at the previous step to determine the instance role within the application stack. If the selected Amazon EC2 instance is not a component of an application stack that is about to be decommissioned and the instance will run for at least 6 months, the verified Amazon EC2 instance is eligible for the Reserved Instance (RI) plan.

06 Repeat steps no. 3 – 5 for each Amazon EC2 instance available in the selected AWS cloud region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To upgrade your eligible On-Demand EC2 instances to Reserved Instances (RIs) you must wisely purchase RIs without paying for resources that you don't need. To make the reservation based on the right pricing model, the right instance size, and the right platform, follow the recommendations outlined below:

01 Commitment Term – choose carefully the commitment period based on your application requirements because you will be charged for every hour during the entire reservation term that you select, regardless of whether the EC2 instance is running or not. AWS provides two types of commitment terms:

  1. 1-year term – the reservation is made for 1 year and it's useful for predictable workloads that don't require vertical scaling. This provides lower discount rate when compared with the 3-year term.
  2. 3-year term – the reservation is made for 3 years, it's useful for long-running applications and web services that don't require vertical scaling, and provides higher discount rate.

02 Payment Options – decide how you would like to pay for your Reserved Instances throughout the chosen commitment period. There are 3 payment options to choose from:

  1. No Upfront – no upfront payment is required at purchase and but the discount is lower (31% over On-Demand pricing model) when compared to other payment options. This option is not available for 3-year term reservations.
  2. Partial Upfront – a portion of the cost must be paid upfront and the remaining hours in the term are billed at the established discounted hourly rate. This option balances the Reserved Instance payments between upfront and hourly.
  3. All Upfront – you are paying for the entire commitment term selected (1 or 3 years) with one upfront payment and get the best effective hourly price when compared to On-Demand model. This has the biggest discount when compared to other payment options available.

03 Consolidated Billing – using Consolidated Billing is recommended when you own multiple accounts because the AWS billing engine treats all your accounts as a single account for billing purposes (designated payer account), resulting in the lowest possible bill as the applicable discounts are spread across all accounts. For instance, the Reserved Instances purchased in one AWS cloud account can share their reservations with other AWS accounts available in the same billing family. The purchase recommendations are based on the previous calendar month's hour-by-hour usage aggregated across all consolidated billing accounts. For example, if you have two RIs in the same AWS region with the same attributes, the AWS billing system checks each hour for the total number of running instances that match those attributes. If there are two instances or less, you will be charged the Reserved Instance rate for each matching instance running that hour. If more than two are running, you will be charged the On-Demand rate for the additional instance(s).

04 Purchasing Process – is important to review carefully the shopping cart details before the purchase. After your purchase is confirmed, it can't be cancelled so make sure the parameters displayed on the Reserved Instance shopping cart page are accurate.

05 Limitations – you can purchase up to 20 Reserved Instances (RIs) per Availability Zone each month. If you need additional RIs, use the form available at this URL to request an increase.

Case A: To upgrade to Reserved Instances just purchase the appropriate RIs in the same AWS region, using the same attributes as your active On-demand instances, and the billing will be automatically changed to reflect the reserved rates. To buy the required RIs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Reserved Instances.

04 Click on the Purchase Reserved Instances button from the console top menu to initiate the purchasing process.

05 On the Purchase Reserved Instancespanel, provide the following information:

  1. For Platform, select the operating system (OS) platform (e.g. Linux/UNIX) used by the active On-demand instance that you want to upgrade to Reserved Instance.
  2. For Instance type, choose the right instance type (e.g. t2.large).
  3. For Tenancy, select the tenancy used by the On-demand instance (e.g. default).
  4. For Term, choose the length of time for the new reservation.
  5. For Offering class, choose the right offering class for your Reserved Instance.
  6. For Payment option, select the payment type that you want to use for this reservation (e.g. No Upfront).
  7. Choose Search to seek for Amazon EC2 Reserved Instances that match the provided criteria.
  8. Once the search results are returned, choose the preferred offering, type the required quantity in the Desired quantity box, and click Add to cart.
  9. Choose View cart to view your cart item before purchasing the selected RI offering. IMPORTANT: Verify the shopping cart details before the purchase in order to make sure that the parameters listed on this page are correct.
  10. Choose Order all to purchase the selected Amazon EC2 Reserved Instance. Your Reserved Instance order is now submitted and you are immediately charged for any applicable upfront fees.

06 Repeat steps no. 4 and 5 to upgrade other On-Demand EC2 instances available within the current AWS region by purchasing Reserved Instances that match their configuration.

07 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Before you purchase your Amazon EC2 Reserved Instance(s), run describe-reserved-instances-offerings command (OSX/Linux/UNIX) to get the pricing information available for the RI offering(s). Use the command parameters provided in the following example to match the specifications of the On-Demand instance that you want to upgrade to Reserved Instance: 

aws ec2 describe-reserved-instances-offerings
  --region us-east-1
  --availability-zone us-east-1a
  --instance-type "t2.large"
  --product-description "Linux/UNIX (Amazon VPC)"
  --instance-tenancy default
  --offering-type "no upfront"
  --min-duration 2592000
  --max-duration 31536000
  --no-include-marketplace

02 The command output should return the requested offering(s) information: 

{
	"ReservedInstancesOfferings": [
		{
			"OfferingType": "No Upfront",
			"AvailabilityZone": "us-east-1a",
			"InstanceTenancy": "default",
			"PricingDetails": [],
			"ProductDescription": "Linux/UNIX",
			"UsagePrice": 0.0,
			"RecurringCharges": [
				{
					"Amount": 0.048,
					"Frequency": "Hourly"
				}
			],
			"Marketplace": false,
			"CurrencyCode": "USD",
			"FixedPrice": 0.0,
			"Duration": 31536000,
			"ReservedInstancesOfferingId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
			"InstanceType": "t2.large"
		}
	]
}

03 Run purchase-reserved-instances-offering command (OSX/Linux/UNIX) to purchase the Amazon EC2 Reserved Instance based on the offering information returned at the previous step. The following command example will purchase one Reserved Instance using an AWS offering identified by the ID "abcdabcd-1234-abcd-1234-abcd1234abcd": 

aws ec2 purchase-reserved-instances-offering
  --region us-east-1
  --reserved-instances-offering-id "abcdabcd-1234-abcd-1234-abcd1234abcd"
  --instance-count 1

04 The command output should return the ID of the new Amazon EC2 Reserved Instance: 

{
	"ReservedInstancesId": "1234abcd-1234-abcd-1234-abcd1234abcd"
}

05 Repeat steps no. 1 – 4 to upgrade other On-Demand EC2 instances available in the selected AWS region by purchasing Reserved Instances that match their configuration.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To renew your existing Amazon EC2 Reserved Instances (RIs), you need to repurchase them using the same configuration attributes (region, instance type, OS platform, and so on). The Amazon EC2 RIs are not renewed automatically so you must repurchase your existing RIs in order to avoid On-Demand rate charges when the current reservations expire. To repurchase them perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Reserved Instances.

04 Select the active Amazon EC2 Reserved Instance that you want to renew.

05 Choose the Details tab from the console bottom panel and note the Reserved Instance configuration attributes (instance type, tenancy, OS platform, offering class, etc.).

06 Click on the Purchase Reserved Instances button from the console top menu to initiate the purchasing process.

07 On the Purchase Reserved Instances panel, provide the following offering details:

  1. For Platform, select the operating system (OS) platform (e.g. Linux/UNIX) used by the active Reserved Instance that you want to renew.
  2. For Instance type, choose the right instance type (e.g. t2.large).
  3. For Tenancy, select the tenancy used by the selected Reserved Instance (e.g. default).
  4. For Term, choose the length of time for the new reservation.
  5. For Offering class, choose the right offering class for your Reserved Instance.
  6. For Payment option, select the payment type that you want to use for this reservation (e.g. No Upfront).
  7. Choose Search to seek for Amazon EC2 Reserved Instances that match the provided criteria.
  8. Once the search results are returned, choose the preferred offering, type the required quantity in the Desired quantity box, and click Add to cart.
  9. Choose View cart to view your cart item before purchasing the selected RI offering. IMPORTANT: Verify the shopping cart details before the purchase in order to make sure that the parameters listed on this page are correct.
  10. Choose Order all to repurchase (renew) the selected Amazon EC2 Reserved Instances. Your Reserved Instance order is now submitted and you are immediately charged for any applicable upfront fees.

08 Repeat steps no. 4 – 7 to renew other Amazon EC2 Reserved Instances available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-reserved-instances-offerings command (OSX/Linux/UNIX) to get the pricing information available for the RI offering(s). Use the command parameters provided in the following example to match the specifications of the Amazon EC2 Reserved Instance that you want to renew (repurchase): 

aws ec2 describe-reserved-instances-offerings
  --region us-east-1
  --availability-zone us-east-1d
  --instance-type "t2.medium"
  --product-description "Linux/UNIX (Amazon VPC)"
  --instance-tenancy default
  --offering-type "no upfront"
  --min-duration 2592000
  --max-duration 31536000
  --no-include-marketplace

02 The command output should return the requested offering(s) information: 

{
	"ReservedInstancesOfferings": [
		{
			"OfferingType": "No Upfront",
			"AvailabilityZone": "us-east-1d",
			"InstanceTenancy": "default",
			"PricingDetails": [],
			"ProductDescription": "Linux/UNIX",
			"UsagePrice": 0.0,
			"RecurringCharges": [
				{
					"Amount": 0.048,
					"Frequency": "Hourly"
				}
			],
			"Marketplace": false,
			"CurrencyCode": "USD",
			"FixedPrice": 0.0,
			"Duration": 31536000,
			"ReservedInstancesOfferingId": "12341234-abcd-1234-abcd-1234abcd1234",
			"InstanceType": "t2.medium"
		}
	]
}

03 Run purchase-reserved-instances-offering command (OSX/Linux/UNIX) to purchase the Amazon EC2 Reserved Instance based on the offering information returned at the previous step. The following command example will purchase one Reserved Instance using an AWS offering identified by the ID "12341234-abcd-1234-abcd-1234abcd1234": 

aws ec2 purchase-reserved-instances-offering
  --region us-east-1
  --reserved-instances-offering-id "12341234-abcd-1234-abcd-1234abcd1234"
  --instance-count 1

04 The command output should return the ID of the new Amazon EC2 Reserved Instance: 

{
	"ReservedInstancesId": "1234abcd-1234-abcd-1234-abcd1234abcd"
}

05 Repeat steps no. 1 – 4 to renew (repurchase) other Amazon EC2 Reserved Instances available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Nov 2, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Reserved Instance Purchase Recommendations

Risk Level: Medium