More Info:

To ensure that none of your AWS EC2 Reserved Instance purchases are pending.

Risk Level

Low

Address

Cost Optimisation

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the misconfiguration “EC2 Reserved Instances Should Not Have Payment Pending” for AWS using the AWS console:
  1. Log in to your AWS Management Console.
  2. Navigate to the EC2 Dashboard.
  3. Click on the “Reserved Instances” option from the left-hand side menu.
  4. In the Reserved Instances page, filter the results by selecting “Payment Pending” from the “Payment Status” dropdown.
  5. Select the Reserved Instance that has the “Payment Pending” status.
  6. Click on the “Actions” button at the top of the page and select “Modify Reserved Instances”.
  7. In the “Modify Reserved Instances” page, select the correct payment option and click on “Purchase”.
  8. Once the payment is completed, the Reserved Instance will be available for use.
  9. Verify that the Reserved Instance payment status has been updated to “Active” by checking the “Payment Status” column in the Reserved Instances page.
By following these steps, you can remediate the misconfiguration “EC2 Reserved Instances Should Not Have Payment Pending” for AWS using the AWS console.

To remediate the misconfiguration of EC2 Reserved Instances having payment pending in AWS using AWS CLI, follow the below steps:
  1. Identify the EC2 Reserved Instances that have payment pending by running the following command in AWS CLI:
aws ec2 describe-reserved-instances --filters Name=state,Values=payment-pending
  1. Note down the Reserved Instance ID of the EC2 Reserved Instance that has payment pending.
  2. Cancel the payment pending of the EC2 Reserved Instance by running the following command in AWS CLI: 
aws ec2 cancel-reserved-instances-listings --reserved-instances-id <ReservedInstanceID>
Replace <ReservedInstanceID> with the Reserved Instance ID noted in Step 2.
  1. Verify that the payment pending of the EC2 Reserved Instance has been cancelled by running the following command in AWS CLI:
aws ec2 describe-reserved-instances --filters Name=state,Values=payment-pending
This should return an empty response indicating that there are no EC2 Reserved Instances with payment pending.
  1. Finally, to avoid such misconfigurations in the future, set up billing alerts in AWS to get notified when there are any payment issues with your Reserved Instances.
To remediate the misconfiguration “EC2 Reserved Instances Should Not Have Payment Pending” in AWS using Python, you can follow these steps:
  1. Import the necessary AWS SDK modules in Python. For example, you can use the boto3 module to interact with AWS services.
import boto3
  1. Create an EC2 client object using the boto3.client() method.
ec2 = boto3.client('ec2')
  1. Use the describe_reserved_instances() method to get a list of all the reserved instances in your account.
reserved_instances = ec2.describe_reserved_instances()
  1. Iterate through the list of reserved instances and check if any of them have a payment pending status.
for reserved_instance in reserved_instances['ReservedInstances']:
    if reserved_instance['State'] == 'payment-pending':
        # Remediation code goes here
  1. If you find any reserved instances with a payment pending status, you can use the modify_reserved_instances() method to modify the payment option and complete the payment.
ec2.modify_reserved_instances(
    ReservedInstancesIds=[reserved_instance['ReservedInstancesId']],
    ReservedInstancesModification={
        'ModificationType': 'purchase',
        'TargetConfigurations': [
            {
                'InstanceCount': reserved_instance['InstanceCount'],
                'OfferingId': reserved_instance['OfferingId']
            }
        ]
    }
)
  1. Once the payment is completed, you can verify that the status of the reserved instance has changed to active using the describe_reserved_instances() method.
reserved_instances = ec2.describe_reserved_instances(
    ReservedInstancesIds=[reserved_instance['ReservedInstancesId']]
)
if reserved_instances['ReservedInstances'][0]['State'] == 'active':
    print('Reserved instance payment completed successfully.')
else:
    print('Error: Reserved instance payment not completed.')
  1. Finally, you can wrap the above code in a function and call it periodically to ensure that all reserved instances in your account have a valid payment status.
import boto3

def remediate_reserved_instance_payment_pending():
    ec2 = boto3.client('ec2')
    reserved_instances = ec2.describe_reserved_instances()
    for reserved_instance in reserved_instances['ReservedInstances']:
        if reserved_instance['State'] == 'payment-pending':
            ec2.modify_reserved_instances(
                ReservedInstancesIds=[reserved_instance['ReservedInstancesId']],
                ReservedInstancesModification={
                    'ModificationType': 'purchase',
                    'TargetConfigurations': [
                        {
                            'InstanceCount': reserved_instance['InstanceCount'],
                            'OfferingId': reserved_instance['OfferingId']
                        }
                    ]
                }
            )
            reserved_instances = ec2.describe_reserved_instances(
                ReservedInstancesIds=[reserved_instance['ReservedInstancesId']]
            )
            if reserved_instances['ReservedInstances'][0]['State'] == 'active':
                print('Reserved instance payment completed successfully.')
            else:
                print('Error: Reserved instance payment not completed.')
Note: The above code is just an example to remediate the misconfiguration “EC2 Reserved Instances Should Not Have Payment Pending” in AWS using Python. You may need to modify it based on your specific requirements and use case. Also, make sure to test the code in a non-production environment before running it in production.

Additional Reading: