Profile Applicability:

  • Level 1

Description:
It is important to ensure that AWS EC2 instances are not running indefinitely and are periodically reviewed. EC2 instances that are older than 180 days could indicate unmanaged resources or outdated configurations, which may increase the risk of security vulnerabilities, performance issues, and higher operational costs. This policy ensures that EC2 instances are regularly reviewed and updated as necessary.

Rationale:
 Running instances that are older than 180 days can lead to:

  • Security risks due to outdated configurations or missing patches.

  • Operational inefficiency as older instances may not be optimized.

  • Increased costs if unused or unnecessary instances are left running.

Reviewing EC2 instances regularly ensures that they remain relevant to the organization’s current needs and are properly maintained.

Impact:
 Pros:

  • Improved security by ensuring older instances are periodically reviewed and updated.

  • Cost optimization by identifying and terminating unused or outdated EC2 instances.

  • Better resource management by ensuring that instances are in line with current organizational requirements.

Cons:

  • Requires ongoing monitoring and management of EC2 instances.

  • Potential service disruption if older EC2 instances need to be stopped or restarted for updates.

Default Value:
 By default, AWS EC2 instances do not have an expiration date or automatic review policy, so instances can remain running indefinitely unless manually stopped, updated, or deleted.

Pre-requisites:

  • AWS IAM permissions to view EC2 instances and instance details:
    ec2:DescribeInstances, ec2:StopInstances, ec2:StartInstances

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. On the left pane, click Instances under INSTANCES.

  3. Select an EC2 instance that is running.

  4. In the Description tab, check the Launch Time.

  5. Calculate the age of the instance by comparing the Launch Time with the current date.

  6. If the instance age is greater than 180 days, it should be reviewed for possible termination or reconfiguration.

  7. Repeat steps 3–6 to verify the age of all other running EC2 instances.

  8. Perform this review across all regions in use by your organization.

Using AWS CLI:

  1. Run the following command to list all EC2 instances

    aws ec2 describe-instances --region <region> --output json --filters "Name=instance-state-code,Values=16" --query "Reservations[*].Instances[*].InstanceId"

  2. For each instance ID listed, run the following command to get the LaunchTime:

    aws ec2 describe-instances --region <region> --instance-ids <instance-id> --query "Reservations[*].Instances[*].LaunchTime"

  3. If the LaunchTime is more than 180 days ago, the instance needs to be reviewed for potential actions.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. Select the EC2 instance identified for review.

  3. To update the instance, click on Actions, then select Instance State, and choose Stop.

  4. Wait for the instance to stop, then click Start to update the instance launch time.

  5. After the instance restarts, check the Launch Time again to ensure it is up-to-date.

Using AWS CLI:

  1. For any instance that is older than 180 days, run the following command to stop the instance:

    aws ec2 stop-instances --region <region> --instance-ids <instance-id>

  2. After the instance has stopped, run the following command to start it again:

    aws ec2 start-instances --region <region> --instance-ids <instance-id>

  3. Verify that the LaunchTime has been updated by checking the instance details again:

    aws ec2 describe-instances --region <region> --instance-ids <instance-id> --query "Reservations[*].Instances[*].LaunchTime"

Backout Plan:

Using AWS Console:

  1. If stopping and restarting an EC2 instance causes issues, log in to the EC2 Console.

  2. Select the EC2 instance and choose Stop to ensure it is properly shut down.

  3. Click Start to restart the instance if needed.

  4. Review the EC2 instance settings and ensure that any configuration changes are reverted to prevent disruptions.

Using AWS CLI:

  1. If restarting an instance causes any issues, run the following command to stop the instance:

    aws ec2 stop-instances --region <region> --instance-ids <instance-id>

  2. After stopping the instance, investigate the root cause and restart the instance once the issue is resolved:

    aws ec2 start-instances --region <region> --instance-ids <instance-id>

References:

  1. AWS EC2: Describe Instances

  2. AWS EC2: Instance State Transitions

  3. AWS EC2: Instance LaunchTime

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Maintain a detailed inventory of all enterprise assets, including EC2 instances, and ensure that instances are regularly reviewed and updated based on their age.

v7

1.4

Ensure that all technology assets, including EC2 instances, are regularly reviewed for relevance and compliance. Instances older than 180 days should be considered for decommissioning or updating.