Profile Applicability:
• Level 2
Description:
When launching EC2 instances, it is recommended to use Amazon Elastic Block Store (EBS) volumes for persistent storage. EBS provides block-level storage that can be attached to EC2 instances and is ideal for storing data that needs to persist beyond instance termination.
Rationale:
Using EBS volumes for EC2 instances ensures that critical data is stored persistently and can survive instance terminations. Unlike instance store volumes, EBS volumes can be detached and reattached to other instances, providing greater flexibility and data durability. Additionally, EBS volumes support encryption and snapshots, further enhancing data protection.
Impact:
Pros:
Provides persistent storage that is independent of EC2 instance lifecycle
Enables data durability and flexibility with snapshot and backup capabilities
Supports encryption for data security
Scalable, with easy resizing of storage volumes as needed
Cons:
Additional cost for storage usage
Requires proper management to ensure volumes are correctly attached and secured
Requires monitoring to ensure optimal performance and cost efficiency
Default Value:
EC2 instances do not automatically include EBS volumes by default. EBS volumes must be manually selected and attached during instance creation.
Pre-requisites:
AWS account with appropriate IAM permissions to launch EC2 instances and create EBS volumes
Understanding of storage requirements for the EC2 instance
Defined security and encryption policies for EBS volumes (optional)
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Instances
Verify that instances are created with EBS volumes attached
Under the Storage section, check that Root Volume is an EBS volume
Ensure that any additional volumes attached are also EBS
Verify that EBS volumes are configured for encryption if required
Using AWS CLI:
Describe the EC2 instance and its attached volumes:
aws ec2 describe-instances --instance-ids <instance-id>
Verify the block devices attached to the instance:
aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=<instance-id>
Check if the instance uses EBS as the root device:
aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].BlockDeviceMappings[*].Ebs.VolumeId"
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Instances
Click Launch Instance to start the instance creation wizard
Select an AMI (Amazon Machine Image)
In the Instance Type section, choose the appropriate instance type
In the Configure Instance section, proceed with the defaults or customize as needed
In the Add Storage section, ensure that the Root Volume is an EBS volume
You can increase the size of the root volume or add additional EBS volumes if necessary
Review and launch the instance
Using AWS CLI:
Launch an EC2 instance with an EBS root volume:
aws ec2 run-instances \ --image-id <ami-id> \ --instance-type <instance-type> \ --block-device-mappings \ DeviceName=/dev/sda1,Ebs={VolumeSize=20,VolumeType=gp2,DeleteOnTermination=true} \ --key-name <key-name> \ --security-group-ids <security-group-id> \ --subnet-id <subnet-id>
This creates an EC2 instance with a 20 GB EBS root volume attached.
If additional EBS volumes are required, use the following command to attach an EBS volume to the instance after launch:
aws ec2 attach-volume \ --volume-id <volume-id> \ --instance-id <instance-id> \ --device /dev/sdf
Backout Plan:
Using AWS Console:
Navigate to EC2 > Instances
Select the EC2 instance and stop it
Detach the EBS volume from the instance under the Volumes section
Optionally delete the EBS volume if no longer needed
Restart the EC2 instance if it needs to be used again without the EBS volume
Using AWS CLI:
Stop the EC2 instance:
aws ec2 stop-instances --instance-ids <instance-id>
Detach the EBS volume:
aws ec2 detach-volume --volume-id <volume-id>
Delete the EBS volume (if no longer required):
aws ec2 delete-volume --volume-id <volume-id>
Restart the EC2 instance:
aws ec2 start-instances --instance-ids <instance-id>