AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 Instance Tenancy
More Info:
EC2 instances should have the required tenancy for security and regulatory compliance requirements.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
EC2 Instance Tenancy refers to the physical host on which your EC2 instance runs. It can be either a shared tenancy or a dedicated tenancy. If the instance tenancy is set to default, it means that it is running on a shared host. To remediate this misconfiguration, follow the below steps:
-
Login to your AWS console.
-
Navigate to the EC2 dashboard.
-
Select the EC2 instance for which you want to remediate the misconfiguration.
-
Click on the “Actions” button and select “Instance Settings”.
-
Select “Change Tenancy” from the drop-down menu.
-
Choose the “Dedicated” option and click on “Apply”.
-
Review the changes and click on “Confirm”.
-
Your instance will be stopped and started again on a dedicated host.
Note: Changing the instance tenancy from default to dedicated may incur additional charges. Please review the pricing details before making the change.
The EC2 instance tenancy refers to the type of hardware on which your EC2 instances will run. There are two types of tenancy: shared and dedicated. Shared tenancy means that your instances will run on hardware that is shared with other AWS customers, while dedicated tenancy means that your instances will run on hardware that is dedicated to your account. Here’s how to remediate this issue for AWS using AWS CLI:
- Identify the EC2 instances that are using shared tenancy by running the following command:
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, InstanceType, Placement.Tenancy]' --output text
This command will list all instances along with their tenancy status.
- Stop the instance(s) that are using shared tenancy by running the following command:
aws ec2 stop-instances --instance-ids <instance-id>
Replace <instance-id> with the ID of the instance that you want to stop.
- Modify the instance(s) to use dedicated tenancy by running the following command:
aws ec2 modify-instance-attribute --instance-id <instance-id> --attribute instanceTenancy --value dedicated
Replace <instance-id> with the ID of the instance that you want to modify.
- Start the instance(s) that you stopped in step 2 by running the following command:
aws ec2 start-instances --instance-ids <instance-id>
Replace <instance-id> with the ID of the instance that you want to start.
- Verify that the instance(s) are now using dedicated tenancy by running the command in step 1 again. The Tenancy column should now show “dedicated” for the affected instance(s).
Note: Changing the tenancy of an instance requires stopping and starting the instance, which will result in downtime. You should plan accordingly to minimize the impact on your applications and users.
The EC2 instance tenancy configuration refers to how the instance is placed on the underlying hardware of the host. There are two types of tenancy - shared and dedicated. Shared tenancy means that the instance is placed on hardware that is shared with other instances, while dedicated tenancy means that the instance is placed on hardware that is dedicated to it.
To remediate this misconfiguration for AWS using Python, you can use the AWS SDK for Python (boto3) to modify the instance tenancy configuration. Here are the steps:
- Install boto3 using the following command:
pip install boto3
- Import the boto3 library and create an EC2 client object:
import boto3
ec2 = boto3.client('ec2')
- Use the
modify_instance_attributemethod to modify the instance tenancy configuration. You will need to specify the instance ID and the tenancy type that you want to set. For example, to set the tenancy to dedicated, you can use the following code:
response = ec2.modify_instance_attribute(
InstanceId='your_instance_id',
Attribute='tenancy',
Value='dedicated'
)
- Verify that the tenancy configuration has been updated by using the
describe_instancesmethod to retrieve the instance details:
response = ec2.describe_instances(InstanceIds=['your_instance_id'])
print(response['Reservations'][0]['Instances'][0]['Placement']['Tenancy'])
This should return ‘dedicated’ if the tenancy configuration has been successfully updated.
Note: You will need appropriate permissions to modify the instance tenancy configuration.