Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Stopped Instances Should Be Removed in 30 Days

This rule ensures that any stopped EC2 instances are removed within a 30-day timeframe.

RuleEC2 stopped instances should be removed in 30 days
FrameworkNIST 800-171 Revision 2
Severity
Low

Rule Description:

According to the NIST 800-171 Revision 2 compliance requirements, any stopped EC2 (Elastic Compute Cloud) instances within an AWS (Amazon Web Services) environment should be removed within 30 days. This rule ensures that inactive instances are promptly terminated, reducing the attack surface and potential vulnerabilities within the system.

Keeping stopped instances for a prolonged period can increase the risk of unauthorized access, data breaches, and unnecessary operating expenses. Regularly removing unused instances aligns with security best practices and helps maintain compliance with NIST 800-171 regulations.

Troubleshooting Steps (if any):

If you encounter any issues while trying to remove stopped EC2 instances, please follow the troubleshooting steps below:

1. Instance Removal Failure: If you are unable to remove a stopped EC2 instance, verify that you have the necessary permissions to perform the action. Ensure that you have the required IAM (Identity and Access Management) role or user privileges to terminate instances. If the issue persists, contact your AWS administrator or support for further assistance.

2. Incorrect Instance State: Make sure you are targeting stopped instances specifically when attempting to remove them. Use the appropriate AWS CLI (Command Line Interface) command or Console option to filter and select only stopped instances for termination.

3. Dependencies or Attached Resources: Check if the stopped instance has any dependencies or attached resources, such as EBS (Elastic Block Store) volumes, ENIs (Elastic Network Interfaces), or security group associations. Remove or detach these resources before terminating the instance. Ensure that you have backups or copies of any essential data stored on these resources.

Code Implementation (if applicable):

There is no specific code implementation required for this rule. However, you can use AWS CLI commands or SDKs (Software Development Kits) to automate the identification and removal of stopped instances that have exceeded the 30-day limit.

Below is an example of an AWS CLI command that lists all stopped instances older than 30 days for termination:

aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=stopped" \
  --query "Reservations[].Instances[?LaunchTime<='yyyy-mm-dd'].InstanceId"

Replace

'yyyy-mm-dd'
with the specific date 30 days in the past. Review the list of instance IDs returned by the command before proceeding with termination.

Remediation Steps:

To ensure compliance with the NIST 800-171 Revision 2 requirement of removing EC2 instances that have been stopped for more than 30 days, perform the following steps:

1. Identify Stopped Instances Older Than 30 Days: Using the AWS Management Console or the AWS CLI, identify the EC2 instances that have been in a stopped state for more than 30 days.

2. Review Instance Details and Dependencies: Before terminating instances, review the details of each instance to ensure they are no longer required. Check for any attached resources, dependencies, or data backups stored within the instance.

3. Terminate Instances: Once you have confirmed that the stopped instances are no longer needed and have verified any dependencies, terminate the instances using one of the following methods:

  • AWS Management Console:

    • Go to the EC2 Dashboard.
    • Select the instances to be terminated.
    • Click on "Actions" and choose "Instance State" > "Terminate."
  • AWS CLI Command:

    • Use the following command, replacing
      instance-ids
      with the appropriate IDs for the instances to be terminated:
      aws ec2 terminate-instances --instance-ids instance-ids
      

4. Repeat Regularly: Implement a regular schedule or automated process to identify and remove stopped instances older than 30 days. This ensures ongoing compliance with the NIST 800-171 Revision 2 requirement.

Note: Exercise caution when terminating instances, as this action is irreversible and permanently deletes the instance and its associated data.

By following these steps, you can maintain compliance with the NIST 800-171 Revision 2 requirement to remove stopped EC2 instances within 30 days, thereby reducing security risks and optimizing costs within the AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now