Profile Applicability:
- Level 1
Description:
This rule helps ensure that Amazon EC2 instances that have been stopped for more than 90 days are identified and removed according to organizational standards. Instances that remain stopped for extended periods can consume resources and may become outdated or unnecessary, especially in dynamic environments.
Rationale:
Stopped EC2 instances that are not actively used can:
Waste resources, increasing cloud costs unnecessarily.
Create security risks if they are not decommissioned properly.
Clutter the EC2 environment, making it difficult to manage and maintain active resources.
Removing EC2 instances that have been stopped for over 90 days helps maintain a clean, cost-effective, and secure cloud environment.
Impact:
Pros:
Cost reduction by eliminating inactive EC2 instances.
Reduces the attack surface by terminating unused instances.
Improves resource management and helps maintain a clean EC2 environment.
Cons:
Data loss: Terminating instances can result in the loss of any data stored on non-persistent storage. Ensure that important data is backed up before termination.
Requires manual auditing to verify instances that have been stopped for over 90 days.
Default Value:
By default, EC2 instances remain in a stopped state unless explicitly terminated or deleted.
Pre-requisites:
AWS IAM permissions to manage EC2 instances:
ec2:DescribeInstances, ec2:TerminateInstances
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, click Instances, then click Instances from the drop-down.
Select an EC2 instance for review.
In the Details tab, check the Launch Time.
If the Launch Time is over 90 days ago, it means the instance has been inactive for that period.
Repeat steps 3–5 for all instances, checking across other AWS regions.
Using AWS CLI:
Run the following command to list stopped EC2 instances:
aws ec2 describe-instances --region us-east-1 --output json --filters "Name=instance-state-name,Values=stopped" --query "Reservations[*].Instances[*].{Instance:InstanceId,LaunchTime:LaunchTime}"Review the output and identify instances that have been stopped for over 90 days.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, click Instances, then click Instances.
Select an EC2 instance that has been stopped for over 90 days.
In the Details tab, verify that the instance is not actively used.
Click Actions, then Instance State, and select Terminate instance.
Click Terminate to confirm the instance termination.
Repeat steps 3–6 for any other instances stopped for over 90 days.
Using AWS CLI
For each EC2 instance that has been stopped for over 90 days, run the following command to terminate the instance:
aws ec2 terminate-instances --instance-ids <instance-id>
Verify that the instance has been terminated by checking the instance state.
Backout Plan:
Using AWS Console:
Once an EC2 instance is terminated, it cannot be restored unless a backup exists. Ensure that you have backups of any necessary data before terminating instances.
If termination was done in error, create a new EC2 instance with the required configuration or restore from backups.
Using AWS CLI:
Once an EC2 instance is terminated, it cannot be restored. If termination was accidental, you will need to launch a new instance with the required configurations.
Restore any necessary data from backups or snapshots before terminating instances.
References:
CIS Controls: