Profile Applicability:
- Level 2
Description:
Detailed monitoring provides additional granularity of monitoring data for your Amazon EC2 instances. Enabling detailed monitoring allows you to collect metrics at a 1-minute frequency instead of the default 5-minute intervals. This helps improve visibility into the performance of EC2 instances, which is essential for maintaining reliability, availability, and performance in production environments.
Rationale:
Enabling detailed monitoring is crucial for production instances because it provides more timely data that can be used to identify and resolve issues faster. With more frequent metric updates, such as CPU utilization, disk I/O, and network traffic, you can ensure that critical resources are performing optimally. However, it does come with additional costs, as you are charged per metric sent to CloudWatch.
Impact:
Pros:
Improved performance monitoring: Provides real-time data (1-minute granularity) for better decision-making.
Helps detect performance issues early, minimizing downtime.
Essential for production environments where high availability and quick incident response are critical.
Cons:
Increased costs: Detailed monitoring incurs additional charges for each metric sent to CloudWatch. It's recommended to only enable it for critical instances.
Requires active monitoring and management to ensure cost-effective utilization of detailed monitoring.
Default Value:
By default, basic monitoring (5-minute granularity) is enabled for EC2 instances, and detailed monitoring is disabled. It must be manually enabled.
Pre-requisites:
AWS IAM permissions to view and manage EC2 instances and CloudWatch metrics:
ec2:DescribeInstances, ec2:MonitorInstances, cloudwatch:PutMetricData
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
On the left, click Instances, then select Instances from the drop-down.
Select an EC2 instance from the list that you want to review.
In the Description tab, check the Monitoring attribute.
If the value is Basic, it indicates that detailed monitoring is not enabled.
Repeat steps 3–4 for other EC2 instances to verify the monitoring level.
Review instances across other AWS regions to ensure compliance.
Using AWS CLI:
Run the following AWS CLI command to list EC2 instances with detailed monitoring disabled:
aws ec2 describe-instances --region us-east-1 --output json --filters "Name=monitoring-state,Values=disabled" --query "Reservations[*].Instances[*].{Instance:InstanceId}"Review the output to identify instances where detailed monitoring is disabled.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
On the left, click Instances, then select Instances.
Select an EC2 instance that needs detailed monitoring enabled.
Click on the Monitoring tab.
Click Enable Detailed Monitoring.
Click Yes, Enable to confirm.
Repeat steps 3–6 for other instances that require detailed monitoring.
Using AWS CLI:
To enable detailed monitoring for a list of instances, run the following command:
aws ec2 monitor-instances --instance-ids <instance-id-1> <instance-id-2>
The output will show state: pending while the monitoring is being enabled.
Wait for a few minutes, then run the command again to verify that the state has changed to enabled:
aws ec2 describe-instances --instance-ids <instance-id-1> --query "Reservations[*].Instances[*].Monitoring"
Backout Plan:
Using AWS Console:
If enabling detailed monitoring causes issues, log in to the EC2 Console.
Select the EC2 instance where detailed monitoring was enabled.
Under the Monitoring tab, click Disable Detailed Monitoring to revert the changes.
Using AWS CLI:
To disable detailed monitoring for an instance, run:
aws ec2 unmonitor-instances --instance-ids <instance-id-1> <instance-id-2>
Verify that the detailed monitoring has been disabled by checking the monitoring status again:
aws ec2 describe-instances --instance-ids <instance-id-1> --query "Reservations[*].Instances[*].Monitoring"
References:
CIS Controls: