|   Trend Micro Cloud One™
Open menu

Unused EC2 Reserved Instances

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Amazon Web Services Amazon EC2 Unused EC2 Reserved Instances
Last updated: 13 May 2020
Risk level: High (not acceptable risk)
Rule ID: EC2-054

Ensure that all purchased AWS EC2 Reserved Instances (RI) have corresponding instances running within the same account or within any linked AWS accounts available in an AWS Organization (if you are using one). A corresponding instance is an EC2 instance (i.e. virtual server) provisioned based on the existing RI reservation criteria such as Region, Instance Type, Tenancy and Platform (OS).

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • AWAF

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

When an AWS EC2 Reserved Instance is not used (i.e. does not have a running corresponding EC2 instance) the investment made is not valorized. For example, if you reserve a c4.large EC2 instance with default tenancy within US East (N. Virginia) region but for some reason you don't provision an instance with the same type and tenancy, in the same region of the same AWS account or in any other linked AWS accounts available within your AWS Organization, the specified RI is considered unused and you end up paying for a service that you don't use.

Note: To receive the right cost optimisation recommendations, you need to enable the Cost Optimisation package for your account and plug in all your AWS Billing accounts into Cloud Conformity using the console.

Audit

To determine if you have any unused EC2 Reserved Instances within your AWS account or AWS Organization (available only if you are using Consolidated Billing), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Reserved Instances.

04 Select the active Reserved Instance (RI) that you want to examine.

05 Select the Details tab from the dashboard bottom panel and copy the following attributes values: Instance Type, Platform, Tenancy and Availability Zone (if applicable).

06 Within the same AWS region, in the navigation panel, under INSTANCES section, choose Instances.

07 On the EC2 dashboard, click inside the attributes filter box located under the dashboard top menu, choose Instance Type parameter from the dropdown list, paste the instance type value copied at step no. 5 and press Enter. Repeat this step for Platform, Tenancy and Availability Zone parameters using the values copied at step no. 5. To search for active EC2 instances only, choose Instance State then select Running from the dropdown list. This filtering method e.g.

search for active EC2 instances only

will help you to determine if there are any EC2 instance that match the selected RI criteria, available in the current AWS region. If no EC2 instances matching your filter criteria are found, the selected Reserved Instance does not have a corresponding instance running within the current region, therefore the purchased RI is not being used.

08 If you are using Consolidated Billing and the current AWS account is member of an AWS Organization, access the Instances page on each linked account, using the same region, and repeat step no. 7 to check for any corresponding EC2 instance.

09 Repeat steps no. 4 - 8 for other EC2 Reserved Instances (RIs) available in the current region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-reserved-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all active EC2 Reserved Instances, available in the selected AWS region: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--filters Name=state,Values=active
	--output table
	--query 'ReservedInstances[*].ReservedInstancesId'

02 The command output should return a table with the requested EC2 RI IDs: 

----------------------------------------
|        ReservedInstancesIds          |
+--------------------------------------+
| 73904b7a-5e4e-4325-464b-13cf48d3b301 |
| 210509b8-f51e-65c6-b3e9-baa2dbdef045 |
+--------------------------------------+

03 Run again describe-reserved-instances command (OSX/Linux/UNIX) using your RI instance ID returned at the previous step and appropriate filtering to describe the selected Reserved Instance attributes: 

aws ec2 describe-reserved-instances
	--region us-east-1
	--reserved-instances-ids 73904b7a-5e4e-4325-464b-13cf48d3b301

04 The command output should return the requested RI attributes, information that will be useful later to search for EC2 instances that match the purchase criteria: 

aws ec2 describe-reserved-instances
{
    "ReservedInstances": [
        {
            "ReservedInstancesId": "73904b7a-5e4e-4325-464b-13cf48d3b301",
            "OfferingType": "No Upfront",
            "AvailabilityZone": "us-east-1b",
            "End": "2017-08-21T19:43:23.000Z",
            "ProductDescription": "Linux/UNIX (Amazon VPC)",
            "Scope": "Availability Zone",
            "UsagePrice": 0.0,
            "RecurringCharges": [
                {
                    "Amount": 0.048,
                    "Frequency": "Hourly"
                }
            ],
            "OfferingClass": "standard",
            "Start": "2016-08-21T19:43:24.352Z",
            "State": "active",
            "FixedPrice": 0.0,
            "CurrencyCode": "USD",
            "Duration": 31536000,
            "InstanceTenancy": "default",
            "InstanceType": "c4.large",
            "InstanceCount": 1
        }
    ]
}

05 Run describe-instances command (OSX/Linux/UNIX) using predefined filters to list the ID of the EC2 instance that match the selected RI purchase criteria, available within the selected AWS region. To define the right values for the required command filters, use the output information returned at the previous step. The following command example should return the ID of a running c4.large EC2 instance, that utilizes the default/shared tenancy and Linux as OS platform, provisioned in the us-east-1b Availability Zone, within the N. Virginia (us-east-1) AWS region: 

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-type,Values=c4.large"
		"Name=tenancy,Values=default"
		"Name=availability-zone,Values=us-east-1b"
		"Name=instance-state-name,Values=running"
	--query 'Reservations[*].Instances[*].InstanceId[]'

06 The command output should return an array that contains the requested EC2 instance ID or an empty array if no instance matches the filter criteria: 

aws ec2 describe-instances
[]

If the command output returns an empty array, i.e. [ ], the selected Reserved Instance does not have a corresponding EC2 instance running within the selected region, therefore the purchased AWS RI is not currently utilized.

07 If you have an active AWS Consolidated Billing implementation and the current AWS account is member of an AWS Organization, repeat step no. 5 and 6 to check for the corresponding EC2 instance within other AWS accounts, members of the AWS Organization.

08 Repeat steps no. 3 - 7 for other EC2 Reserved Instances (RIs) available within the selected region.

09 Change the AWS region by updating the --region command parameter value and perform the entire audit process for other regions.

Remediation / Resolution

Case A: Since AWS EC2 Standard Reserved Instances cannot be canceled, the only way to remove the unneeded EC2 RIs and reclaim their cost is to sell them to other businesses and organizations on Amazon EC2 Reserved Instance Marketplace. To list eligible RIs for sale on the Reserved Instance Marketplace, perform the following:

Note 1: Reserved Instances can be sold only after 30 days from the purchase date. Also, there must be at least one month remaining in the term of the EC2 RI that you are listing on Amazon Marketplace.
Note 2: Convertible AWS EC2 RIs cannot be listed on the Reserved Instance Marketplace.
Note 3: To be able to sell unneeded RIs on Amazon EC2 Reserved Instance Marketplace you must have a valid U.S. bank account.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Reserved Instances.

04 If this is the first time when you are listing AWS EC2 RIs for sale, click the Actions dropdown button from the dashboard top menu and select Sell Reserved Instances option, otherwise skip to step no. 10.

05 Inside Sell Your Reserved Instance dialog box, click Register to initiate the registration wizard.

06 On Account Information page, provide a name for the seller in the Business Name box then click Continue.

07 On Add Bank Account page, register a U.S. bank account as the deposit of your sales by providing the bank account number, account holder name and the necessary routing number. Once your bank account information is validated, click Continue.

08 On the Confirmation page click Continue finish the registration wizard.

09 Go back to the navigation panel and under INSTANCES section click Reserved Instances.

10 Select the AWS EC2 Reserved Instance that you want to sell (see Audit section part I to identify the right EC2 resource).

11 Click the Actions dropdown button from the dashboard top menu and select Sell Reserved Instances.

12 In the Sell Your Reserved Instance dialog box, perform the following actions:

  1. Click Get Started to start listing your selected Reserved Instance.
  2. Within Configure Your Reserved Instance Listing section, set the number of Reserved instances you would like to sell and the upfront price for each one, then click Continue.
  3. In the Confirm Your Reserved Instance Listing section, review the RI listing details then click List Reserved Instances to list your instances on Amazon EC2 Reserved Instance Marketplace. Click Close to return to the EC2 dashboard.

13 Repeat steps no. 10 - 12 to list for sale other unneeded EC2 Reserved Instances, that have been purchased in the current AWS region and account or within any other member (linked) accounts available in your AWS Organization (if you are using one).

14 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-reserved-instances-listing command (OSX/Linux/UNIX) to create a listing for your unused EC2 Standard Reserved Instance (see Audit section part II to identify the right resource), to be sold on the Amazon EC2 Reserved Instance Marketplace. The following command example creates an AWS RI listing of $420.00 for an EC2 Reserved Instance with the ID 73904b7a-5e4e-4325-464b-13cf48d3b301, available in the N. Virginia (us-east-1) region, that has 6 months remaining in the reservation timeframe: 

aws ec2 create-reserved-instances-listing
	--region us-east-1
	--reserved-instances-id 73904b7a-5e4e-4325-464b-13cf48d3b301
	--instance-count 1
	--price-schedules Term=6,Price=420.00,CurrencyCode="USD"

02 The command output should return the EC2 RI listing metadata: 

{
   "ReservedInstancesListings": [
        {
            "ReservedInstancesId": "73904b7a-5e4e-4325-464b-13cf48d3b301",
            "CreateDate": "2017-03-05T14:15:37.352Z",
            "InstanceCounts": [
                {
                    "State": "active",
                    "InstanceCount": 1
                }
            ],

            ...

            "PriceSchedules": [
                {
                    "Term": 6,
                    "Price": 420.00,
                    "CurrencyCode": "USD",
                    "Active": "true"
                }
            ],
            "Tags": [],
            "Status": "fulfilled",
            "ClientToken": "ba0db215-5222-7889-2216-0cf0e52dc45c"
        }
    ]
}

03 Repeat step no. 1 and 2 to create sale listings for other unneeded EC2 Reserved Instances, that have been purchased in the selected AWS region and account or within any other linked accounts available in your AWS Organization (if applicable).

04 Change the AWS region by updating the --region command parameter value and perform the entire process for other regions.

Case B: Provision corresponding EC2 instances for unused Amazon EC2 Reserved Instances purchased within the current AWS account or within any other member accounts available in your AWS Organization (if you are using one). To launch EC2 instances that match the RIs purchase criteria, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, select Instances.

04 Click the Launch Instance button from the EC2 dashboard top menu to initiate the launch process.

05 On Step 1: Choose an Amazon Machine Image (AMI) page, choose an AMI provided by AWS, the Amazon user community, the AWS Marketplace or select one of your own AMIs. The chosen image must use the same OS platform (e.g. Linux, Windows) as the one selected at EC2 RI purchase (see Audit section part I, step no. 5 to identify the OS platform used).

06 On Step 2: Choose an Instance Type page, select the same instance type as the one used by your EC2 Reserved Instance (see Audit section part I, step no. 5 to identify the right instance type) then click Next: Configure Instance Details button.

07 On Step 3: Configure Instance Details page, select the required Availability Zone (see Audit section part I, step no. 5) from the Subnet dropdown list, select Shared from the Tenancy dropdown list and configure any other options available on this page based on your requirements. Click Next: Add Storage to continue the process.

08 On Step 4: Add storage page, configure the instance volume(s) based on your application(s) requirements then click Next: Add Tags.

09 On Step 5: Add Tags page, configure any necessary tags, then click Next: Configure Security Group button to continue.

10 On Step 6: Configure Security Groups, choose Create a new security group, enter a name for the new security group and define the necessary inbound rules required by your application(s). Click Review and Launch to review your new EC2 instance configuration details then click Launch.

11 In the Select an existing key pair or create a new key pair dialog box, select Create a new key pair, provide a name for the new key, then click Launch Instances.

12 Click View Instances to return to the Instances page. The new instance will have the same configuration attributes as the existing AWS EC2 Reserved Instance.

13 Repeat steps no. 4 – 12 to provision corresponding EC2 instances for other Amazon EC2 Reserved Instances purchased in the current AWS region and account or within any other member accounts available in your AWS Organization (if you are using one).

14 Change the AWS region from the navigation bar and repeat the entire remediation process for other regions.

Using AWS CLI

01 First, create the corresponding EC2 instance dependencies – the 2048-bit RSA key pair and the required security group:

  1. Run create-key-pair command (OSX/Linux/UNIX) to set up a new RSA key pair in the selected AWS region: 
    aws ec2 create-key-pair
	--region us-east-1
	--key-name SSHKey
  2. The command output should return the ASCII version of the private key and the key fingerprint. Save the content of your key, listed as the KeyMaterial parameter value, in a PEM file, in a safe location on your machine: 
    {
    "KeyMaterial": "-BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY-",
    "KeyName": "SSHKey",
    "KeyFingerprint": "de:45:92:4a:5a:06:21 ... cc:22:0f:0e:c9:g4:8d"
}
  3. Run create-security-group command (OSX/Linux/UNIX) to set up the new security group. The following command example creates a security group called EC2InstanceSG inside the VPC identified with the ID vpc-d14e9385, within the us-east-1 region: 
    aws ec2 create-security-group
	--region us-east-1
	--group-name EC2InstanceSG
	--description "My EC2 Security Group"
	--vpc-id vpc-d14e9385
  4. The command output should return the new security group ID: 
    {
    "GroupId": "sg-4315d739"
}
  5. Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add one or more inbound rules to the security group created at the previous step (no command output is returned): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-4315d739
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

02 Now execute run-instances command (OSX/Linux/UNIX) to launch a corresponding EC2 instance that matches the existing RI purchase criteria. The following command example creates an c4.large EC2 instance using an AMI with the ID ami-c31eg8ad (based on Linux OS platform) inside a subnet with the ID subnet-20e7cb6e provisioned in the us-east-1b Availability Zone, within US East (N. Virginia) region: 

aws ec2 run-instances
	--region us-east-1
	--instance-type c4.large
	--image-id ami-c31eg8ad
	--subnet-id subnet-20e7cb6e
	--count 1
	--key-name SSHKey
	--security-groups EC2InstanceSG

03 The command output should return the new EC2 instance configuration metadata: 

{
    "OwnerId": "123456789012",
    "ReservationId": "r-0c24eacd1e79647c5",
    "Groups": [],
    "Instances": [
        {
            "EbsOptimized": false,
            "LaunchTime": "2017-03-03T18:40:53.000Z",
            "PrivateIpAddress": "172.18.37.51",
            "InstanceId": "i-023adbdd06d11c1dc",
            "ImageId": "ami-c31eg8ad",
            "KeyName": "SSHKey",
            "SecurityGroups": [
                {
                    "GroupName": "EC2InstanceSG",
                    "GroupId": "sg-4315d739"
                }
            ],

            ...

            "ClientToken": "",
            "SubnetId": "subnet-20e7cb6e",
            "InstanceType": "c4.large",
            "Hypervisor": "xen",
            "BlockDeviceMappings": [],
            "Architecture": "x86_64",
            "StateReason": {
                "Message": "pending",
                "Code": "pending"
            },
            "RootDeviceName": "/dev/xvda",
            "VirtualizationType": "hvm",
            "AmiLaunchIndex": 0
        }
    ]
}

04 Repeat steps no. 1 – 3 to provision corresponding EC2 instances for other Amazon EC2 Reserved Instances purchased in the current AWS region and account or within any other member accounts available in your AWS Organization (if applicable).

05 Change the AWS region by updating the --region command parameter value and perform the entire process for other regions.

References

Publication date Mar 7, 2017

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Unused EC2 Reserved Instances

Risk level: High