AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 Instance Changes Alarm
More Info:
AWS EC2 instance changes should be monitored using CloudWatch alarms.
Risk Level
Low
Address
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
When an EC2 instance changes alarm is triggered, it means that there has been a change in the state of an EC2 instance. This could be due to a number of reasons, such as a change in the instance type, security group, or IAM role. Here are the steps to remediate this issue in AWS using the AWS console:
- Log in to the AWS Management Console and navigate to the CloudWatch service.
- Click on “Alarms” in the left-hand menu and select the alarm that has been triggered.
- Click on the “Actions” dropdown and select “Disable Alarm” to stop receiving notifications while you work on remediation.
- Navigate to the EC2 service and select the instance that has triggered the alarm.
- Review the instance details to determine what has changed and what needs to be remediated. This could include changes to the instance type, security group, or IAM role.
- Make the necessary changes to remediate the issue. For example, if the instance type has changed, you may need to stop the instance and modify the instance type in the EC2 console.
- Once the remediation is complete, navigate back to the CloudWatch service and select the alarm that was triggered.
- Click on the “Actions” dropdown and select “Enable Alarm” to resume notifications.
By following these steps, you should be able to remediate the EC2 instance changes alarm in AWS using the AWS console.
The “EC2 Instance Changes” alarm is triggered when there is a change in the state of an EC2 instance, such as stopping or terminating the instance. To remediate this issue, you can follow the below steps using AWS CLI:
- Open the AWS CLI on your local machine and run the following command to describe the alarm:
aws cloudwatch describe-alarms --alarm-names "EC2 Instance Changes"
-
Identify the instance ID(s) that are causing the alarm.
-
Stop or terminate the instance(s) using the following command:
aws ec2 stop-instances --instance-ids <instance-id>
or
aws ec2 terminate-instances --instance-ids <instance-id>
- Once the instance(s) have been stopped or terminated, run the following command to delete the alarm:
aws cloudwatch delete-alarms --alarm-names "EC2 Instance Changes"
Note: It is recommended to create a new alarm to monitor the state of the EC2 instances to avoid similar issues in the future.
To remediate the “EC2 Instance Changes Alarm” misconfiguration in AWS using Python, follow these steps:
- Import the necessary libraries:
import boto3
- Create a boto3 client for CloudWatch:
cw_client = boto3.client('cloudwatch')
- List the existing alarms:
existing_alarms = cw_client.describe_alarms()
- Find the alarm that is triggering the “EC2 Instance Changes” alarm:
for alarm in existing_alarms['MetricAlarms']:
if alarm['AlarmName'] == 'EC2 Instance Changes':
ec2_alarm = alarm
break
- Modify the alarm to disable it:
ec2_alarm['ActionsEnabled'] = False
cw_client.put_metric_alarm(AlarmName='EC2 Instance Changes', MetricName='StatusCheckFailed', ActionsEnabled=False)
- Verify that the alarm is disabled:
existing_alarms = cw_client.describe_alarms()
for alarm in existing_alarms['MetricAlarms']:
if alarm['AlarmName'] == 'EC2 Instance Changes':
print(alarm['ActionsEnabled'])
The output should be False, indicating that the alarm is disabled.
Note: This solution assumes that you have the necessary permissions to modify CloudWatch alarms in your AWS account.