Logo of Trend Micro

EC2 Reserved Instance Recent Purchases

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-052

Ensure that all active Amazon EC2 Reserved Instance (RI) purchases are reviewed every 7 days to make sure that no unwanted RI purchase has been placed recently.

This rule can help you with the following compliance standards:

  • AWAF

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

By checking your EC2 RI purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS bill.

Note: You can change the default threshold value (7 days) for the review time frame within the rule settings available on the Cloud Conformity console.

Audit

To identify the EC2 Reserved Instance purchases placed recently within your AWS account for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Reserved Instances.

04 On the EC2 RI dashboard, click inside the attributes filter box located under the dashboard top menu, and perform the following actions:

  1. Select Start parameter from the dropdown list and set the date and time within the Date and Time fields, required for the review. After the right date and time is set (i.e. 7 days ago), choose After this date option then click Set to apply the date/time filter that will return the EC2 RI purchase requests placed after the date set (if any).
  2. Select State parameter from the dropdown list and choose the Active to return active Reserved Instance purchases only.
    This filtering method, e.g. filtering method will help you find and review all active EC2 RI purchases placed in the last 7 days, within the current AWS region. If no purchases matching your filter criteria are found, there were no AWS EC2 RI purchases placed in the last week. If one or more purchases matching the filter criteria are returned and you are unaware of any these purchases, check your AWS CloudTrail logs or contact Amazon Web Services through AWS Support Center to solve the unwanted RI purchases issue (see Remediation/Resolution section for more details).

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-reserved-instances command (OSX/Linux/UNIX) using predefined and custom query filters to list the IDs of all active EC2 Reserved Instance purchases placed in the selected AWS region: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--filters Name=state,Values=active
	--output table
	--query 'ReservedInstances[*].ReservedInstancesId'

02 The command output should return a table with the requested EC2 RI purchases IDs: 

----------------------------------------
|        ReservedInstancesIds          |
+--------------------------------------+
| 6bs904b7-7e4e-5325-964b-f65e48d3b218 |
| 45150c85-f31e-15c6-a3e4-7ac2dbdefb40 |
+--------------------------------------+

03 Run again describe-reserved-instances command (OSX/Linux/UNIX) using your RI purchase ID returned at the previous step and necessary filtering to expose the date at which the EC2 Reserved Instance purchase request was placed: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--reserved-instances-ids 6bs904b7-7e4e-5325-964b-f65e48d3b218
	--query 'ReservedInstances[*].Start'

04 The command output should return the time when the requested RI purchase was placed: 

[
    "Start": "2017-03-08T15:30:27.352Z"
]

If the date returned as Start parameter value indicates a recent EC2 RI purchase request (i.e. request placed in the last 7 days) and you are unaware of this purchase, verify your AWS CloudTrail logs or contact AWS using the Support Center console to solve the issue.

05 Repeat step no. 3 and 4 to check the purchase request timestamp for other EC2 Reserved Instances (RIs) available within the selected region.

06 Change the AWS region by updating the --region command parameter value and perform the entire audit process for other regions.

Remediation / Resolution

Case A: Check the AWS Cloudtrail service logs (if Cloudtrail is enabled) from the date when the EC2 RI purchase request was placed to determine the request origin and context. To find and analyze the necessary API logging data, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine, available in the same AWS region with the identified EC2 RI purchases.

05 Within Storage location section check the name of the S3 bucket used to store the trail log data.

06 Now navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket used for CloudTrail logging and use the date/time bucket name format (e.g. cloudtrail-logging-bucket/AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08) to open the right log file for analysis.

08 Based on the log file name (i.e. 123456789012_CloudTrail_us-east-1_20170308T1830Z_65ZWtvmCq5cuBxyOZ.json.gz), identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted EC2 RI purchase request, click the Actions dropdown button from the dashboard top menu and select Open to download and open the log file in your browser.

09 Once the right CloudTrail log file is opened, search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com" – for the name of the AWS service used to place the RI purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering" – for the name of the AWS API action/command used to place the RI purchase request.
  3. "eventTime":"2017-03-08T18:30:27.352Z" – for the date/time when the EC2 RI purchase request was placed.

10 Identify the right CloudTrail log entry (record) based on the attributes listed at the previous step and verify the "userIdentity" attribute value to determine your unwanted EC2 RI purchase request origin and context.

11 Repeat steps no. 7 – 10 to verify the request origin and context for other unwanted EC2 Reserved Instance (RI) purchases placed in the selected region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all CloudTrail trails currently available within the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail name(s): 

---------------------------
|     DescribeTrails      |
+-------------------------+
|  aws-environment-trail  |
+-------------------------+

03 Run again describe-trails command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to get the name of the S3 bucket used to store the log files for the selected CloudTrail trail: 

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list aws-environment-trail
	--query 'trailList[*].S3BucketName'

04 The command output should return the name of the requested S3 bucket: 

[
    "env-cloudtrail-logs"
]

05 Now run list-objects command (OSX/Linux/UNIX) to list the names of all S3 objects (files) available in the selected S3 bucket: 

aws s3api list-objects
	--region us-east-1
	--bucket env-cloudtrail-logs
	--query 'Contents[].Key'

06 The command output should expose the name of each S3 object (CloudTrail log file) currently available within the selected S3 bucket: 

[
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08/123456789012_
     CloudTrail_us-east-1_20170308T1800Z_rfD9ytCLV222jR4e.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08/123456789012_
     CloudTrail_us-east-1_20170308T1805Z_65ZWtvmCqOcuwXIo.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08/123456789012_
     CloudTrail_us-east-1_20170308T1805Z_ntG0rPDvTVMKJdLe.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08/123456789012_
     CloudTrail_us-east-1_20170308T2005Z_00euohtdKFqkNjPH.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to get the right CloudTrail log file (e.g. rfD9ytCLV222jR4e.json.gz) from the specified S3 bucket and download it to your machine: 

aws s3api get-object
	--region us-east-1
	--bucket env-cloudtrail-logs
	--key AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/08/123456789012_CloudTrail_us-east-1_20170308T1800Z_rfD9ytCLV222jR4e.json.gz rfD9ytCLV222jR4e.json.gz

08 The command output should return the GET request metadata: 

{
    "AcceptRanges": "bytes",
    "ContentType": "application/json",
    "LastModified": "Sat, 08 Mar 2017 18:00:00 GMT",
    "ContentLength": 4291,
    "ContentEncoding": "gzip",
    "ETag": "\"dabffa01349b8713ec69e0e4cf6971a9\"",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

09 Now extract and open the required CloudTrail log file, downloaded at the previous step (e.g. rfD9ytCLV222jR4e.json.gz), in your preferred text editor.

10 Once the log file is opened, search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com" – for the name of the AWS service used to place the RI purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering" – for the name of the AWS API action/command used to place the RI purchase request.
  3. "eventTime":"2017-03-08T18:30:27.352Z" – for the date/time when the EC2 RI purchase request was placed.

11 Identify the right CloudTrail log entry (record) based on the attributes listed above and verify the "userIdentity" attribute value to determine your unwanted EC2 RI purchase request origin and context.

12 Repeat steps no. 7 – 11 to verify the request origin and context for other unwanted EC2 Reserved Instance (RI) purchases available within the selected region.

13 Change the AWS region by updating the --region command parameter value and perform the entire remediation process for other regions.

Case B: To mitigate unwanted EC2 Reserved Instance purchase requests you can contact Amazon Web Services and ask for RI purchases cancellation. To create the necessary case through the AWS Support Center, perform the following:

Note: Requesting Amazon to cancel your unwanted EC2 RI purchase requests using AWS Management Console or AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at https://console.aws.amazon.com/support/.

03 On Support Center page, click Create case button to initiate the process.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Account and Billing Support option.
  2. Choose Billing from the Service dropdown list to send your request to AWS Billing and Cost Management service.
  3. Select Reserved Instances from the Category dropdown list.
  4. Inside the Subject box, enter a subject for your request such as "Cancel unwanted EC2 Reserved Instance purchase".
  5. Within Description textbox, provide the reason why do you need to cancel your recent EC2 RI purchase and explain how and when this unwanted purchase request was placed. This will help AWS support team to evaluate properly your request.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request. If your need is urgent, choose Phone as contact method to request a direct phone call.
  7. Click Submit to send the cancellation request for your unwanted EC2 Reserved Instance purchase to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Mar 14, 2017

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

EC2 Reserved Instance Recent Purchases

Risk level: Low