Guideline for removing stopped EC2 instances after a set time period.
Rule | Stopped EC2 instances should be removed after a specified time period |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
Rule Description:
The rule dictates that any stopped EC2 (Elastic Compute Cloud) instances should be automatically removed after a specified time period. This practice is in line with the AWS Foundational Security Best Practices to minimize security risks and optimize resource utilization within the AWS environment.
By removing stopped instances promptly, you can reduce the attack surface and potential vulnerability exposure. Moreover, it helps prevent unnecessary costs associated with maintaining idle resources.
Troubleshooting Steps:
Identify stopped instances: Start by identifying the stopped EC2 instances in your AWS account.
Determine the specified time period: Verify the time period after which the instances should be removed. This information may be provided by your organization's security policies or can be defined based on operational requirements.
Check instance state: Confirm the state of the identified instances. Ensure that they are truly in a "stopped" state and not "terminating" or "stopping" (which indicates they are still in the process of shutting down).
Validate permissions: Make sure you have the necessary permissions to perform the required actions on EC2 instances, particularly the ability to terminate instances.
Review instance details: Before removing the instances, review their details to ensure you are not inadvertently terminating critical instances or instances required by other resources.
Verify compliance with security policies: Validate that the specified time period aligns with your organization's security policies and compliance requirements.
Code:
The rule for removing stopped instances after a specified time period can be achieved using AWS Config. AWS Config allows you to define and enforce rules for your AWS resources. Here's an example of the rule in AWS Config Rule Language:
{ "Version": "1.0", "ConfigRuleName": "remove-stopped-ec2-instances", "Description": "Automatically terminates EC2 instances that have been stopped for more than X hours.", "MaximumExecutionFrequency": "TwentyFour_Hours", "InputParameters": { "terminationPeriodInHours": "72" }, "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "EC2_INSTANCE_STOPPED" } }
In this code snippet, the "terminationPeriodInHours" parameter specifies the time period after which the stopped instances should be terminated. You can modify this value based on your organization's requirements.
Remediation Steps:
To remediate the violation of the rule and remove the stopped EC2 instances, follow these steps:
Open the AWS Management Console and navigate to the EC2 Dashboard.
Identify the stopped instances that need to be removed. Review the list of instances and check if they are suitable for termination. Ensure that no critical or required instances are included.
Select the instance(s) that should be removed and click on the "Actions" dropdown menu.
From the dropdown menu, choose "Instance State" and then select "Terminate". Confirm the termination when prompted.
Verify that the instances have been successfully terminated by checking their state. The instances should no longer be visible in the EC2 Dashboard.
Ensure that the specified time period for removing instances aligns with your organization's security policies and operational requirements. Adjust the rule's configuration if necessary.
By following these steps, you can adhere to the AWS Foundational Security Best Practices and automatically remove stopped EC2 instances after the specified time period, enhancing your security posture and optimizing resource usage.