More Info:

Monitoring vCPU-based limits for on-demand EC2 instances avoids resource starvation. Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.

Risk Level

Medium

Address

Operational Maturity, Reliability

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “EC2 Instances Should Not Reach vCPU Limit” in AWS using the AWS console, follow the below steps:
  1. Open the AWS Management Console and navigate to the EC2 dashboard.
  2. Select the EC2 instance that is reaching the vCPU limit.
  3. Click on the “Actions” button and select “Instance Settings” and then click on “Change Instance Type”.
  4. Select a larger instance type that provides more vCPUs than the current instance type.
  5. Review the changes and click on “Apply”.
  6. Once the instance type is changed, the instance will have more vCPUs and the vCPU limit will no longer be reached.
Alternatively, you can also use AWS Auto Scaling to automatically adjust the instance type based on the resource utilization of the instance. This will ensure that the instance always has enough vCPUs and other resources to handle the workload.

To remediate the EC2 instances reaching vCPU limit misconfiguration in AWS using AWS CLI, follow the below steps:Step 1: Log in to the AWS Management Console.Step 2: Open the AWS CLI on your local machine.Step 3: Use the below command to describe the EC2 instances that have reached the vCPU limit:
aws ec2 describe-instances --query 'Reservations[].Instances[?CpuOptions.CpuCreditsRemaining==`0`].{InstanceID:InstanceId, vCPUs:CpuOptions.CoreCount}'
This command will display the list of instances that have reached the vCPU limit.Step 4: Stop the EC2 instances that have reached the vCPU limit using the below command:
aws ec2 stop-instances --instance-ids <instance-id>
Replace the <instance-id> with the actual instance ID of the instance that you want to stop.Step 5: Modify the instance type of the stopped instances using the below command:
aws ec2 modify-instance-attribute --instance-id <instance-id> --instance-type <new-instance-type>
Replace <instance-id> with the actual instance ID of the instance that you want to modify, and <new-instance-type> with the desired instance type.Step 6: Start the modified EC2 instances using the below command:
aws ec2 start-instances --instance-ids <instance-id>
Replace the <instance-id> with the actual instance ID of the instance that you want to start.By following these steps, you can remediate the EC2 instances reaching vCPU limit misconfiguration in AWS using AWS CLI.
To remediate the EC2 Instances reaching vCPU limit misconfiguration in AWS using python, you can follow the below steps:Step 1: Identify the EC2 instances which are reaching vCPU limit using the boto3 library in python.
import boto3

# Create EC2 client
ec2 = boto3.client('ec2')

# Get all EC2 instances
reservations = ec2.describe_instances()

for reservation in reservations['Reservations']:
    for instance in reservation['Instances']:
        # Check if the instance is running and has a vCPU limit
        if instance['State']['Name'] == 'running' and 'CpuOptions' in instance and 'CoreCount' in instance['CpuOptions']:
            # Check if the instance is reaching the vCPU limit
            if instance['CpuOptions']['CoreCount'] >= instance['CpuOptions']['ThreadsPerCore']:
                # Remediate the misconfiguration by stopping and starting the instance
                ec2.stop_instances(InstanceIds=[instance['InstanceId']])
                ec2.start_instances(InstanceIds=[instance['InstanceId']])
Step 2: Stop and start the EC2 instances which are reaching the vCPU limit to remediate the misconfiguration.
# Stop and start the instances which are reaching the vCPU limit
ec2.stop_instances(InstanceIds=[instance['InstanceId']])
ec2.start_instances(InstanceIds=[instance['InstanceId']])
By following the above steps, you can remediate the EC2 Instances reaching vCPU limit misconfiguration in AWS using python.

Additional Reading: