Profile Applicability:

  • Level 1

Description:

Amazon EC2 provides two levels of monitoring: Basic Monitoring and Detailed Monitoring. By default, EC2 instances have Basic Monitoring enabled, which provides metrics at 5-minute intervals. Detailed Monitoring, on the other hand, provides metrics at 1-minute intervals, offering more granular data for better performance tracking and troubleshooting. Ensuring that Detailed Monitoring is enabled for EC2 instances helps improve visibility into the health and performance of the instances, making it easier to identify issues and optimize resource utilization.

Rationale:

Enabling Detailed Monitoring provides more frequent and accurate metrics about the EC2 instance’s performance, such as CPU utilization, disk I/O, network traffic, and memory usage. This helps in proactive monitoring, faster troubleshooting, and better resource management. Detailed monitoring also enhances the ability to set up alarms and automated actions for thresholds that may indicate potential issues.

Impact:

Pros:

  • Provides more granular and frequent metrics (1-minute intervals).

  • Enables more accurate performance monitoring and faster issue detection.

  • Improves troubleshooting by having detailed insights into resource utilization.

  • Facilitates better integration with CloudWatch alarms for automated actions.

Cons:

  • Additional AWS costs are incurred for enabling detailed monitoring (cost per instance).

  • May generate additional monitoring data that could increase complexity in managing metrics.

Default Value:

By default, EC2 instances come with Basic Monitoring enabled. Detailed Monitoring is not enabled by default and needs to be manually configured.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeInstances

    • ec2:MonitorInstances

  • AWS CLI installed and configured.

  • Knowledge of EC2 instance configurations and CloudWatch monitoring.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

     

  1. In the left-hand navigation pane, select Instances.

               

  1. Select the EC2 instance(s) you want to check.

       

  1. In the Instance Details section, under Monitoring, check if Detailed Monitoring is enabled.

    • If Detailed Monitoring is enabled, it will show as Enabled under the Monitoring section.

    • If it shows Basic Monitoring, you need to enable detailed monitoring.

                                   

  1. To enable Detailed Monitoring

    • click on the Actions button

    • go to Monitor and troubleshoot

    • select Enable detailed monitoring.

Using AWS CLI:

To list all EC2 instances and their monitoring status, run the following command:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,Monitoring:Monitoring.State}' --output table

  • The output will show whether Detailed Monitoring is enabled (enabled) or not (disabled).

To enable Detailed Monitoring for a specific instance, run:

aws ec2 monitor-instances --instance-id <instance-id>

  • Replace <instance-id> with the ID of the EC2 instance you want to enable detailed monitoring for.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

           

  1. Select the Instances menu from the left-hand navigation.

           

  1. Choose the EC2 instance(s) you want to enable Detailed Monitoring for.

         

  1. In the Monitoring section, click on Actions.

         

  1. Select Monitor and troubleshoot, then click on Enable detailed monitoring.

         

  1. Confirm that Detailed Monitoring is now enabled by checking the Monitoring section of the instance details.

         

Using AWS CLI:

To enable Detailed Monitoring for a specific EC2 instance, run the following command:

aws ec2 monitor-instances --instance-id <instance-id>

After enabling, verify the monitoring status by running:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,Monitoring:Monitoring.State}' --output table

Backout Plan:

If enabling Detailed Monitoring causes performance issues or unnecessary costs:

Identify the affected instance(s).

Revert the change by disabling Detailed Monitoring:

aws ec2 unmonitor-instances --instance-id <instance-id

Verify that the instance is now using Basic Monitoring by running:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,Monitoring:Monitoring.State}' --output table

Document the restoration actions for auditing and compliance purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.