Rule: EC2 Stopped Instances Should Be Removed in 30 Days
This rule ensures that EC2 instances stopped for more than 30 days are promptly removed to optimize resource usage and security.
| Rule | EC2 stopped instances should be removed in 30 days |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
According to the NIST Cybersecurity Framework (CSF) v1, it is important to remove EC2 instances that are in a stopped state after a certain period of time to ensure the security of the AWS infrastructure. In order to comply with this framework, EC2 instances that have been stopped for 30 days or longer should be removed from the AWS environment. This helps to minimize the attack surface and potential security risks.
Troubleshooting Steps (if applicable)
In case you encounter any issues related to removing stopped EC2 instances, you can follow these troubleshooting steps:
- 1.
Check for any dependencies: Before removing an EC2 instance, make sure to review any dependencies it may have. This includes attached volumes, elastic IP addresses, security groups, load balancers, or any other resources associated with the instance. Removing an instance without addressing these dependencies can cause issues in your environment.
- 2.
Permission issues: If you encounter permission errors while trying to remove instances, ensure that you have the necessary IAM permissions to perform EC2 instance deletion. You may need to check your IAM policies and roles to ensure they grant sufficient privileges.
- 3.
Reserved instances: If you have any reserved instances, it is important to verify that removing a stopped EC2 instance does not impact the utilization of your reserved instances. Check the terms and conditions of your reserved instances before proceeding with the removal.
- 4.
Review logs: If you still face issues, review your CloudTrail logs to identify any error messages or events that could indicate the reason behind the problem. This can help troubleshoot and pinpoint the root cause.
Necessary Codes (if applicable)
There are no specific codes required for this rule. The removal of stopped EC2 instances can be done using the AWS Management Console or AWS Command Line Interface (CLI).
Step-by-Step Guide for Remediation
To comply with the NIST CSF v1 and remove EC2 instances that have been in a stopped state for 30 days or longer, follow these step-by-step instructions:
- 1.
Identify stopped EC2 instances: From the AWS Management Console, navigate to the EC2 service and click on the "Instances" link in the left-hand menu. On the Instances page, filter or sort the instances to identify those that have a "stopped" state and have been in this state for 30 days or more.
- 2.
Review dependencies: For each identified stopped EC2 instance, review any attached volumes, elastic IP addresses, security groups, and other associated resources. Make sure to handle these dependencies before proceeding with the removal. You may need to detach volumes or release elastic IP addresses.
- 3.
Terminate instances: Once you have identified and addressed any dependencies, select the stopped EC2 instances that have been in this state for 30 days or longer and click on the "Actions" button. From the dropdown menu, choose "Instance State" and then "Terminate".
- 4.
Confirmation: In the confirmation dialog, review the instances to be terminated and click "Yes, Terminate" to proceed. Note that terminating an instance will permanently delete it, including any attached volumes or data.
- 5.
Verify termination: After the termination process, confirm that the instances have been successfully removed from your AWS environment. You can check the Instances page again to ensure they no longer appear in the list.
Conclusion
By adhering to the NIST Cybersecurity Framework (CSF) v1 and removing EC2 instances that have been in a stopped state for 30 days or longer, you enhance the security of your AWS environment. Following the step-by-step guide provided ensures compliance with this rule and contributes to maintaining a robust and secure infrastructure.