Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Reserved Instance Recent Purchases

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-052

Ensure that all the active Amazon EC2 Reserved Instance (RI) purchases are reviewed every 7 days to make sure that no unwanted RI purchase has been placed recently.

This rule can help you with the following compliance standards:

  • AWAF

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

By checking your Amazon EC2 Reserved Instance purchases on a regular basis you can detect and cancel any unwanted purchases placed within your AWS cloud account and avoid unexpected charges on your AWS bill.

Note: You can change the default threshold value (7 days) for the review time frame within the conformity rule settings, using the Trend Micro Cloud One™ – Conformity console.

Audit

To identify the Reserved Instance purchases placed recently within your AWS cloud account for review purposes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Reserved Instances.

04 Click inside the Filter by attributes or search by keyword box located under the console top menu, choose State, and select Active. This filtering technique will return the active Amazon EC2 reservation purchases available in the current AWS cloud region.

05 Click inside the Filter by attributes or search by keyword box, choose Start, and set the Date and Time required for the review. After the right date and time is set (i.e. 7 days before), select After this date and choose Set to apply the date/time filter that will return the Reserved Instance purchase requests placed after the date/time set. This filtering technique will return the active Amazon EC2 reservation purchases placed in the last 7 days, within the current AWS cloud region. If no purchases matching your filter criteria are found, there were no Reserved Instance purchases placed in the last week. If one or more purchases matching your filter criteria are returned by the Amazon EC2 console and you are unaware of any these purchases, check your Amazon CloudTrail logs or contact AWS Support Center to resolve the purchase issue for the unwanted reservation.

06 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using predefined and custom query filters to list the IDs of the active Amazon EC2 reservations available in the selected AWS region: 

aws ec2 describe-reserved-instances
  --region us-east-1
  --filters "Name=state,Values=active"
  --output table
  --query 'ReservedInstances[*].ReservedInstancesId'

02 The command output should return the requested reservation identifiers (IDs): 

----------------------------------------
|        ReservedInstancesIds          |
+--------------------------------------+
| abcdabcd-1234-abcd-1234-abcd1234abcd |
| 12341234-abcd-1234-abcd-1234abcd1234 |
----------------------------------------

03 Run describe-reserved-instances command (OSX/Linux/UNIX) using the ID of the active Amazon EC2 reservation that you want to examine as the identifier parameter and custom query filters to describe the date/time at which the Reserved Instance purchase request was placed: 

aws ec2 describe-reserved-instances
  --region us-east-1
  --reserved-instances-ids abcdabcd-1234-abcd-1234-abcd1234abcd
  --query 'ReservedInstances[*].Start'

04 The command output should return the requested reservation information: 

[
	"2021-04-126T14:00:00.000Z"
]

If the date/time returned by the describe-reserved-instances command output for the selected reservation indicates a recent Reserved Instance purchase request (i.e. a request placed in the last 7 days) and you are unaware of this purchase, check your Amazon CloudTrail logs or contact AWS Support Center to resolve the purchase issue for the unwanted reservation.

05 Repeat steps no. 3 and 4 for each active Reserved Instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Remediation / Resolution

Case A: Check your Amazon CloudTrail logs (if Cloudtrail service is enabled) from the date when the unwanted purchase request was placed to determine the request origin and context. To find and analyze the necessary AWS API logging data, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the trail that you want to examine, available in the same AWS cloud region as the unwanted Amazon EC2 reservation.

05 In the General details section, click on the trail log file, available under Trail log location.

06 Navigate to the appropriate trail log file location, i.e. <trail-log-bucket>/AWSLogs/<aws-account-id>/CloudTrail/<aws-region>/<year>/<month>/<day> and identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted purchase request.

07 Select the Amazon CloudTrail log file that you want to examine, choose Actions, and select Open to download and open the log file in your browser.

08 Once the CloudTrail log file is opened, search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com" – for the name of the AWS service used to place the Reserved Instance purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering" – for the name of the AWS API action/command used to place the Reserved Instance purchase request.
  3. "eventTime":"" – for the date/time when the Reserved Instance purchase request was placed.

09 Identify the right CloudTrail log entry (record) based on the attributes listed at the previous step and verify the "userIdentity" attribute value to determine the origin and context for the selected unwanted purchase request.

10 Repeat steps no. 4 – 9 to verify the request origin and context for other unwanted reservation purchases placed in the selected AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all the CloudTrail trails available within the selected AWS cloud region: 

aws cloudtrail describe-trails
  --region us-east-1
  --output table
  --query 'trailList[*].Name'

02 The command output should return a table with the requested trail name(s): 

------------------------------
|       DescribeTrails       |
+----------------------------+
|  aws-cloudtrail-log-trail  |
+----------------------------+

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the trail returned at the previous step as the identifier parameter and custom query filters to get the name of the Amazon S3 bucket used to store the log files for the selected trail: 

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list aws-cloudtrail-log-trail
  --query 'trailList[*].S3BucketName'

04 The command output should return the name of the requested S3 bucket: 

[
	"aws-cloudtrail-logs"
]

05 Run list-objects command (OSX/Linux/UNIX) to list the names of all the Amazon S3 objects (i.e. log files) available within the selected S3 bucket: 

aws s3api list-objects
  --region us-east-1
  --bucket aws-cloudtrail-logs
  --query 'Contents[].Key'

06 The command output should return the name of each S3 object available within the selected bucket: 

[
	"AWSLogs/123456789012/CloudTrail/us-east-1/2021/04/08/123456789012_CloudTrail_us-east-1_20210408T1800Z_abcd1234abcd1234.json.gz",
	"AWSLogs/123456789012/CloudTrail/us-east-1/2021/04/08/123456789012_CloudTrail_us-east-1_20210408T1805Z_1234abcd1234abcd.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to download the required Amazon CloudTrail log file from the specified S3 bucket: 

aws s3api get-object
  --region us-east-1
  --bucket aws-cloudtrail-logs
  --key AWSLogs/123456789012/CloudTrail/us-east-1/2021/04/08/123456789012_CloudTrail_us-east-1_20210408T1800Z_abcd1234abcd1234.json.gz

08 The command output should return the get-object command request metadata: 

{
	"AcceptRanges": "bytes",
	"ContentType": "application/json",
	"LastModified": "Sat, 08 Apr 2021 18:00:00 GMT",
	"ContentLength": 4291,
	"ContentEncoding": "gzip",
	"ETag": "\"abcdabcdabcdabcdabcdabcdabcd\"",
	"ServerSideEncryption": "AES256",
	"Metadata": {}
}

09 Extract and open the CloudTrail log file downloaded at the previous steps in your preferred text editor.

10 Once the CloudTrail log file is opened, search for the following attributes in order to identify the necessary log record:

  1. "eventSource":"ec2.amazonaws.com" – for the name of the AWS service used to place the Reserved Instance purchase request.
  2. "eventName":"PurchaseReservedInstancesOffering" – for the name of the AWS API action/command used to place the Reserved Instance purchase request.
  3. "eventTime":"" – for the date/time when the Reserved Instance purchase request was placed.

11 Identify the right CloudTrail log entry (record) based on the attributes listed at the previous step and verify the "userIdentity" attribute value to determine the origin and context for the selected unwanted purchase request.

12 Repeat steps no. 3 – 11 to verify the request origin and context for other unwanted reservation purchases placed in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To mitigate unwanted Amazon EC2 reservation purchases, you can contact Amazon Web Services and ask for purchase cancellation. To create the necessary case through the AWS Support Center, perform the following:

Note: Requesting AWS to cancel your unwanted reservation purchases using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following actions:

  1. Select Account and billing support option.
  2. Select Billing from the Type dropdown list.
  3. Select Reserved Instances from the Category dropdown list.
  4. Provide the request subject in the Subject box, e.g. "Cancel Unwanted Amazon EC2 Reserved Instance Purchase".
  5. For Description, provide the reason why do you need to cancel your recent reservation purchase and explain how and when this unwanted purchase request was placed. This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly.

References

Publication date Mar 14, 2017

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Reserved Instance Recent Purchases

Risk Level: Low