Detection rules › Panther
AWS EC2 Instance Approved Tenancy
This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default.
Rule body yaml
AnalysisType: policy
Filename: aws_ec2_instance_approved_tenancy.py
PolicyID: "AWS.EC2.Instance.ApprovedTenancy"
DisplayName: "AWS EC2 Instance Approved Tenancy"
Enabled: false
ResourceTypes:
- AWS.EC2.Instance
Tags:
- AWS
- Configuration Required
Severity: Low
Description: >
This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-ec2-instance-running-with-approved-tenancy
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html
Tests:
- Name: Instance Not Running With Required Tenancy
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "dedicated",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Running With Required Tenancy
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
Detection logic
Condition
Placement.Tenancy not in "default"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Placement.Tenancy | eq | default |