Use the Conformity Knowledge Base AI to help improve your Cloud Posture

RDS Reserved DB Instance Recent Purchases

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RDS-018

Ensure that all Amazon RDS Reserved Instance (RI) purchases are reviewed every 7 days in order to confirm that no unwanted reservation purchase has been placed recently.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

By checking your RDS Reserved Instances on a regular basis you can detect and cancel any unwanted purchases placed within your AWS account and avoid unexpected charges on your AWS monthly bill.

Note: You can change the default threshold value (7 days) for the review time range within the rule settings available on the Cloud Conformity console.


Audit

To identify all active RDS RI purchases available in your AWS account for review purposes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Reserved Purchases.

04 Choose the active RDS Reserved Instance that you want to examine.

05 Click the Show or Hide Item Details button:

Show or Hide Item Details button

available for the selected RI to expand the reservation details panel and check the Start Date attribute value (e.g. March 16, 2017 at 9:50:14 PM UTC+2). If the Start Date value shows an AWS RDS RI purchase request placed in the last 7 days and you are unaware of this purchase, verify your AWS CloudTrail logs or contact Amazon Web Services using the Support Center console to solve the unwanted RI purchase issue (see Remediation/Resolution section for more details).

06 Repeat step no. 4 and 5 to check the RI purchase request Start Date for other RDS Reserved Instances available within the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-reserved-db-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all RDS Reserved Instances, purchased within the selected AWS region:

aws rds describe-reserved-db-instances
	--region us-east-1
	--output table
	--query 'ReservedDBInstances[*].ReservedDBInstanceId'

02 The command output should return a table with the requested RDS RI IDs

-----------------------------
|DescribeReservedDBInstances|
+---------------------------+
|  RDSMySQL1yReservation    |
|  PostgreSQL3YReservation  |
+---------------------------+

03 Run again describe-reserved-db-instances command (OSX/Linux/UNIX) using the ID of the RDS RI returned at the previous step as identifier and custom query filters to reveal the date at which the RDS reservation purchase request was placed:

aws rds describe-reserved-db-instances
	--region us-east-1
	--reserved-db-instance-id RDSMySQL1yReservation
	--query 'ReservedDBInstances[*].StartTime'

04 The command output should return the date/time when the requested RDS reservation started:

[
    "StartTime": "2017-03-16T09:50:14.352Z"
]

If the date returned as StartTime parameter value indicates an RDS RI purchase request placed in the last 7 days and you are unaware of this purchase, verify your AWS CloudTrail logs or contact AWS using the Support Center console to solve the issue.

05 Repeat step no. 3 and 4 to check the purchase request timestamp for other RDS reservations available in the selected region.

06 Change the AWS region by updating the --region command parameter value and perform the entire audit process for other regions.

Remediation / Resolution

Case A: Check the Cloudtrail service logs (if Amazon Cloudtrail is enabled) from the date when the RDS RI purchase request was placed to determine the request origin and context. To find and analyze the necessary AWS API logging data recorded by CloudTrail, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel select Trails.

04 Under Name column, select the trail name that you need to examine, available in the same AWS region with the identified RDS RI unwanted purchases.

05 Within Storage location section, check the name of the S3 bucket used to store the trail log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket utilized to store the CloudTrail logging data and use the date/time bucket name format (e.g. cloudtrail-logging-bucket/AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16) to open the right log file (S3 object) for analysis.

08 Based on the log file name (i.e. 123456789012_CloudTrail_us-east-1_20170316T0950Z_35ZWtvmCq5cuBxWyZ.json.gz), identify the CloudTrail log file that contains the API activity recorded on the same date as the unwanted RDS RI purchase request, click the Actions dropdown button from the dashboard top menu and select Open to open the log file in your browser.

09 Once the right CloudTrail log file is opened, search for the following attributes in order to identify the log record that contains the API information of the purchase request:

  1. "eventSource":"rds.amazonaws.com" – for the name of the AWS service used to place the RI purchase request.
  2. "eventName":"PurchaseReservedDBInstancesOffering" – for the name of the AWS API action used to place the RI purchase request.
  3. "eventTime":"2017-03-16T09:50:14.352Z" – for the date when the RDS RI purchase request was placed.

10 Identify the right CloudTrail log record based on the attributes listed at the previous step and verify the "userIdentity" attribute value to determine the selected unwanted RDS RI purchase request origin and context.

11 Repeat steps no. 7 – 10 to verify the request origin and context for other unwanted RDS reservation purchases placed in the selected region.

12 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails currently available within the selected AWS region:

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail name(s):

---------------------------
|     DescribeTrails      |
+-------------------------+
|  cc-global-cloud-trail  |
+-------------------------+

03 Run again describe-trails command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to get the name of the S3 bucket used to store the log files for the selected trail:

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list cc-global-cloud-trail
	--query 'trailList[*].S3BucketName'

04 The command output should return the name of the requested S3 bucket:

[
    "cc-cloud-trail-logs"
]

05 Run list-objects command (OSX/Linux/UNIX) to list the names of all S3 objects available within the selected S3 bucket:

aws s3api list-objects
	--region us-east-1
	--bucket cc-cloud-trail-logs
	--query 'Contents[].Key'

06 The command output should expose the name of each S3 object (i.e. CloudTrail log file) currently available in the selected S3 bucket:

[
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16/123456789012_
     CloudTrail_us-east-1_20170316T0950Z_35ZWtvmCq5cuBxWyZ.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16/123456789012_
     CloudTrail_us-east-1_20170316T0950Z_65ZWtvmCqOcuwXIo.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16/123456789012_
     CloudTrail_us-east-1_20170316T0950Z_ntG0rPDvTVMKJdLe.json.gz",
    "AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16/123456789012_
     CloudTrail_us-east-1_20170316T0950Z_00euohtdKFqkNjPH.json.gz"
]

07 Run get-object command (OSX/Linux/UNIX) to get the right CloudTrail log file from the specified S3 bucket and download it to your machine:

aws s3api get-object
	--region us-east-1
	--bucket cc-cloud-trail-logs
	--key AWSLogs/123456789012/CloudTrail/us-east-1/2017/03/16/123456789012_CloudTrail_us-east-1_20170316T0950Z_35ZWtvmCq5cuBxWyZ.json.gz 35ZWtvmCq5cuBxWyZ.json.gz

08 The command output should return the GET request metadata:

{
    "AcceptRanges": "bytes",
    "ContentType": "application/json",
    "LastModified": "Sat, 16 Mar 2017 09:50:35 GMT",
    "ContentLength": 791,
    "ContentEncoding": "gzip",
    "ETag": "\"cd5bfa01349b8713ec69e0e4cf6971ba\"",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

09 Now extract and open the required CloudTrail log file, downloaded at the previous step, e.g. 35ZWtvmCq5cuBxWyZ.json.gz.

10 Once the log file is opened, search for the following attributes in order to identify the required log record:

  1. "eventSource":"rds.amazonaws.com" – for the name of the AWS service used to place the RI purchase request.
  2. "eventName":"PurchaseReservedDBInstancesOffering" – for the name of the AWS API action used to place the RI purchase request.
  3. "eventTime":"2017-03-16T09:50:14.352Z" – for the date when the RDS RI purchase request was placed.

11 Identify the right CloudTrail log record entry based on the attributes listed above and verify the "userIdentity" attribute value to determine the unwanted RDS RI purchase request origin and context.

12 Repeat steps no. 7 – 11 to verify the request origin and context for other unwanted RDS RI purchases available within the selected region.

13 Change the AWS region by updating the --region command parameter value and perform the entire process for other regions.

Case B: Another way to mitigate unwanted RDS Reserved Instance purchase requests is to contact Amazon Web Services and ask for RI purchases cancellation. To create the necessary case through the AWS Support Center, perform the following:

Note: Requesting Amazon to cancel your unwanted RDS RI purchase requests using AWS Management Console or AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at https://console.aws.amazon.com/support/.

03 On Support Center page, click Create case button to initiate the process.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Account and Billing Support option.
  2. Choose Billing from the Service dropdown list to send your request to AWS Billing and Cost Management service.
  3. Select Reserved Instances from the Category dropdown list.
  4. Inside the Subject box, enter a subject for your request such as "Cancel unwanted AWS RDS Reserved Instance purchase".
  5. Inside the Description textbox, provide the reason why do you need to cancel your recent RDS RI purchase and explain how and when this unwanted purchase request was placed. This will help AWS support team to evaluate accordingly your request.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the cancellation request for your unwanted RDS Reserved Instance purchase to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Mar 14, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

RDS Reserved DB Instance Recent Purchases

Risk Level: Low