AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 Large Instance Changes Alarm
More Info:
AWS EC2 large instance changes should be monitored using CloudWatch alarms.
Risk Level
Low
Address
Cost optimization
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
Here are the step-by-step instructions to remediate the “EC2 Large Instance Changes Alarm” misconfiguration in AWS using the AWS console:
-
Open the AWS Management Console and navigate to the CloudWatch service.
-
In the CloudWatch dashboard, click on the “Alarms” option from the left-hand menu.
-
Find the alarm for “EC2 Large Instance Changes” and click on it.
-
In the alarm details page, click on the “Actions” dropdown menu and select “Edit.”
-
In the “Edit Alarm” page, you can adjust the alarm threshold to your desired value. For example, if you want to receive an alarm when the instance size is larger than an m4.xlarge, you can set the threshold to ”>= m4.xlarge.”
-
After setting the threshold, click on the “Update Alarm” button to save your changes.
-
Verify that the alarm threshold has been updated by checking the “Current State” column in the alarm list. If the state is “OK,” the alarm has been successfully remediated.
By following these steps, you have successfully remediated the “EC2 Large Instance Changes Alarm” misconfiguration for AWS using the AWS console.
Here are the step-by-step instructions to remediate the “EC2 Large Instance Changes Alarm” misconfiguration in AWS using AWS CLI:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to describe the CloudWatch alarm that has been triggered due to the EC2 instance size change:
aws cloudwatch describe-alarms --alarm-name <alarm-name>Replace
<alarm-name>with the name of the alarm that has been triggered. -
Identify the EC2 instance that has been resized and note down its instance ID.
-
Run the following command to get the current instance type of the resized EC2 instance:
aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].InstanceType" --output textReplace
<instance-id>with the ID of the resized EC2 instance. -
Determine the instance type that the EC2 instance should be running on based on your application requirements.
-
Run the following command to modify the instance type of the resized EC2 instance:
aws ec2 modify-instance-attribute --instance-id <instance-id> --instance-type <instance-type>Replace
<instance-id>with the ID of the resized EC2 instance and<instance-type>with the instance type that the EC2 instance should be running on. -
Verify that the instance type of the resized EC2 instance has been updated by running the following command:
aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].InstanceType" --output textReplace
<instance-id>with the ID of the resized EC2 instance. -
Confirm that the CloudWatch alarm has been resolved by checking the CloudWatch console or running the following command:
aws cloudwatch describe-alarms --alarm-name <alarm-name>Replace
<alarm-name>with the name of the alarm that has been triggered. The alarm should show a status of “OK” once the EC2 instance size has been corrected.
That’s it! You have successfully remediated the “EC2 Large Instance Changes Alarm” misconfiguration in AWS using AWS CLI.
The EC2 Large Instance Changes Alarm is triggered when the size of an EC2 instance is increased or decreased. To remediate this issue, you can use the following steps:
Step 1: Create a Lambda function in AWS console
- Go to the AWS console and select the Lambda service.
- Click on the “Create function” button.
- Choose “Author from scratch” and give your function a name.
- Select “Python 3.8” as the runtime.
- Choose an existing or create a new execution role with the necessary permissions.
- Click on “Create function”.
Step 2: Add code to the Lambda function
- In the “Function code” section, paste the following code:
import boto3
def lambda_handler(event, context):
ec2 = boto3.client('ec2')
instance_id = event['detail']['instance-id']
instance_type = event['detail']['instance-type']
ec2.modify_instance_attribute(InstanceId=instance_id, Attribute='instanceType', Value=instance_type)
This code will modify the instance type of the instance that triggered the alarm to its original type.
Step 3: Add a CloudWatch Events rule
- Go to the AWS console and select the CloudWatch service.
- Click on “Rules” in the left-hand menu and then click on “Create rule”.
- Choose “Event pattern” as the rule type.
- In the “Event pattern” section, select “EC2 Instance State-change Notification” as the Event source.
- In the “Specific state(s)” section, select “running” and “stopped”.
- Click on “Add target” and select “Lambda function”.
- Choose the Lambda function you created in Step 1.
- Click on “Configure details”.
- Give your rule a name and description.
- Click on “Create rule”.
This CloudWatch Events rule will trigger your Lambda function whenever an EC2 instance changes state to “running” or “stopped”.
Step 4: Test the solution
- Go to the AWS console and select the EC2 service.
- Launch a new instance and wait for it to start running.
- Stop the instance and wait for it to stop.
- Check the CloudWatch Logs for your Lambda function to verify that it was triggered and successfully modified the instance type.
This solution will remediate the EC2 Large Instance Changes Alarm by automatically changing the instance type back to its original type.