Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon EC2 instances running beyond a defined number of days (e.g., 90 days) are periodically reviewed to verify that they are still required, properly configured, and compliant with security and cost optimization policies. Identifying and auditing long-running EC2 instances helps detect unused, misconfigured, or outdated resources that may introduce security vulnerabilities or incur unnecessary expenses.

Rationale:

Over time, EC2 instances that are no longer needed may continue to run unnoticed, leading to increased operational costs, unpatched operating systems, and potential security risks. Regularly checking for older instances ensures that all active resources are still necessary, patched, and aligned with organizational policies for resource lifecycle management, cost efficiency, and compliance. This practice supports governance standards like CIS, SOC 2, ISO 27001, and AWS Well-Architected Framework.

Impact:

  • Positive Impact: Improves cost management, security posture, and operational hygiene by identifying outdated or unused EC2 instances for decommissioning or remediation.
     Negative Impact: Requires ongoing tracking and review, which may increase administrative workload if automation is not implemented. 


Default Value:

AWS does not automatically monitor or flag EC2 instances based on their creation or runtime age. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeInstances, ec2:DescribeTags, and ec2:TerminateInstances.
  • Defined organizational policy for acceptable EC2 instance lifespan (e.g., 60, 90, or 180 days).


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Instances.
  3. For each instance, review the Launch time column to check the creation date.
  4. Compare the launch time with the current date to identify instances older than the defined threshold (e.g., 90 days).
  5. Validate whether these older instances are:

    • Still required for business or operational purposes.

    • Running supported and patched operating systems.

    • Properly tagged for ownership and environment (e.g., production, test, staging).

  6. If outdated or unneeded instances are found, mark them for decommissioning or remediation.

Implementation Plan 

Using AWS Console:

  1. Manual Review:

    • Navigate to EC2 → Instances.

    • Sort instances by Launch time.

    • Document instances that have been running longer than the threshold (e.g., >90 days).

    • Contact instance owners (based on tagging) to confirm ongoing need.

    • Terminate or snapshot obsolete instances after confirmation.

  2. Automated Monitoring (Recommended):

    • Use AWS Config or a Lambda function to automatically detect EC2 instances older than a set number of days.

    • Example automation flow:

      • AWS Lambda script queries EC2 instances using the DescribeInstances API.

      • Compares LaunchTime with the current date.

      • Flags or sends alerts via Amazon SNS or AWS Security Hub for instances exceeding the defined age.

Backout Plan:

Using AWS Console:

  1. If an instance was mistakenly flagged or terminated, restore it using its latest AMI snapshot or EBS volume backup.
  2. Maintain a change log or CMDB entry documenting each instance's review and retention justification.

References: