Profile Applicability:
 • Level 2

Description:

When launching EC2 instances, it is recommended to use Amazon Elastic Block Store (EBS) volumes for persistent storage. EBS provides block-level storage that can be attached to EC2 instances and is ideal for storing data that needs to persist beyond instance termination.

Rationale:

Using EBS volumes for EC2 instances ensures that critical data is stored persistently and can survive instance terminations. Unlike instance store volumes, EBS volumes can be detached and reattached to other instances, providing greater flexibility and data durability. Additionally, EBS volumes support encryption and snapshots, further enhancing data protection.

Impact:

Pros:

  • Provides persistent storage that is independent of EC2 instance lifecycle

  • Enables data durability and flexibility with snapshot and backup capabilities

  • Supports encryption for data security

  • Scalable, with easy resizing of storage volumes as needed

Cons:

  • Additional cost for storage usage

  • Requires proper management to ensure volumes are correctly attached and secured

  • Requires monitoring to ensure optimal performance and cost efficiency

Default Value:

EC2 instances do not automatically include EBS volumes by default. EBS volumes must be manually selected and attached during instance creation.

Pre-requisites:

  • AWS account with appropriate IAM permissions to launch EC2 instances and create EBS volumes

  • Understanding of storage requirements for the EC2 instance

  • Defined security and encryption policies for EBS volumes (optional)

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 > Instances

  3. Verify that instances are created with EBS volumes attached

  4. Under the Storage section, check that Root Volume is an EBS volume

  5. Ensure that any additional volumes attached are also EBS

  6. Verify that EBS volumes are configured for encryption if required

Using AWS CLI:

  1. Describe the EC2 instance and its attached volumes:

    aws ec2 describe-instances --instance-ids <instance-id>

  2. Verify the block devices attached to the instance:

     aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=<instance-id>

  3. Check if the instance uses EBS as the root device:

    aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].BlockDeviceMappings[*].Ebs.VolumeId"

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 > Instances

  3. Click Launch Instance to start the instance creation wizard

  4. Select an AMI (Amazon Machine Image)

  5. In the Instance Type section, choose the appropriate instance type

  6. In the Configure Instance section, proceed with the defaults or customize as needed

  7. In the Add Storage section, ensure that the Root Volume is an EBS volume

    • You can increase the size of the root volume or add additional EBS volumes if necessary

  8. Review and launch the instance

Using AWS CLI:

Launch an EC2 instance with an EBS root volume:

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type <instance-type> \
  --block-device-mappings \
      DeviceName=/dev/sda1,Ebs={VolumeSize=20,VolumeType=gp2,DeleteOnTermination=true} \
  --key-name <key-name> \
  --security-group-ids <security-group-id> \
  --subnet-id <subnet-id>

  1.  This creates an EC2 instance with a 20 GB EBS root volume attached.

If additional EBS volumes are required, use the following command to attach an EBS volume to the instance after launch:

aws ec2 attach-volume \
  --volume-id <volume-id> \
  --instance-id <instance-id> \
  --device /dev/sdf

Backout Plan:

Using AWS Console:

  1. Navigate to EC2 > Instances

  2. Select the EC2 instance and stop it

  3. Detach the EBS volume from the instance under the Volumes section

  4. Optionally delete the EBS volume if no longer needed

  5. Restart the EC2 instance if it needs to be used again without the EBS volume

Using AWS CLI:

  1. Stop the EC2 instance:

     aws ec2 stop-instances --instance-ids <instance-id>

  2. Detach the EBS volume:

     aws ec2 detach-volume --volume-id <volume-id>

  3. Delete the EBS volume (if no longer required):

     aws ec2 delete-volume --volume-id <volume-id>

  4. Restart the EC2 instance:

     aws ec2 start-instances --instance-ids <instance-id>

References: