EC2 Instances Should Not Reach vCPU Limit

More Info:

Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.

Risk Level

Medium

Address

Operational Maturity, Reliability

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the EC2 instances reaching vCPU limit misconfiguration in AWS using AWS CLI, follow the below steps:Step 1: Log in to the AWS Management Console.Step 2: Open the AWS CLI on your local machine.Step 3: Use the below command to describe the EC2 instances that have reached the vCPU limit:

aws ec2 describe-instances --query 'Reservations[].Instances[?CpuOptions.CpuCreditsRemaining==`0`].{InstanceID:InstanceId, vCPUs:CpuOptions.CoreCount}'

This command will display the list of instances that have reached the vCPU limit.Step 4: Stop the EC2 instances that have reached the vCPU limit using the below command:

aws ec2 stop-instances --instance-ids <instance-id>

Replace the <instance-id> with the actual instance ID of the instance that you want to stop.Step 5: Modify the instance type of the stopped instances using the below command:

aws ec2 modify-instance-attribute --instance-id <instance-id> --instance-type <new-instance-type>

Replace <instance-id> with the actual instance ID of the instance that you want to modify, and <new-instance-type> with the desired instance type.Step 6: Start the modified EC2 instances using the below command:

aws ec2 start-instances --instance-ids <instance-id>

Replace the <instance-id> with the actual instance ID of the instance that you want to start.By following these steps, you can remediate the EC2 instances reaching vCPU limit misconfiguration in AWS using AWS CLI.

Using Python

To remediate the EC2 Instances reaching vCPU limit misconfiguration in AWS using python, you can follow the below steps:Step 1: Identify the EC2 instances which are reaching vCPU limit using the boto3 library in python.

import boto3

# Create EC2 client
ec2 = boto3.client('ec2')

# Get all EC2 instances
reservations = ec2.describe_instances()

for reservation in reservations['Reservations']:
    for instance in reservation['Instances']:
        # Check if the instance is running and has a vCPU limit
        if instance['State']['Name'] == 'running' and 'CpuOptions' in instance and 'CoreCount' in instance['CpuOptions']:
            # Check if the instance is reaching the vCPU limit
            if instance['CpuOptions']['CoreCount'] >= instance['CpuOptions']['ThreadsPerCore']:
                # Remediate the misconfiguration by stopping and starting the instance
                ec2.stop_instances(InstanceIds=[instance['InstanceId']])
                ec2.start_instances(InstanceIds=[instance['InstanceId']])

Step 2: Stop and start the EC2 instances which are reaching the vCPU limit to remediate the misconfiguration.

# Stop and start the instances which are reaching the vCPU limit
ec2.stop_instances(InstanceIds=[instance['InstanceId']])
ec2.start_instances(InstanceIds=[instance['InstanceId']])

By following the above steps, you can remediate the EC2 Instances reaching vCPU limit misconfiguration in AWS using python.

Additional Reading:

https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

EC2 Instances Should Not Reach vCPU Limit

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: