Detection rules › Panther
AWS EC2 Instance Detailed Monitoring
This policy ensures that the AWS Instance has Detailed Monitoring Enabled
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body yaml
AnalysisType: policy
Filename: aws_ec2_instance_detailed_monitoring.py
PolicyID: "AWS.EC2.Instance.DetailedMonitoring"
DisplayName: "AWS EC2 Instance Detailed Monitoring"
Enabled: true
ResourceTypes:
- AWS.EC2.Instance
Reports:
MITRE ATT&CK:
- TA0005:T1562
Tags:
- AWS
- Security Control
- Defense Evasion:Impair Defenses
- Debug
Severity: Low
Description: >
This policy ensures that the AWS Instance has Detailed Monitoring Enabled
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-ec2-instance-has-detailed-monitoring-enabled
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html
Tests:
- Name: Detailed Monitoring Disabled
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Detailed Monitoring Enabled
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "enabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Stopped
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 80, "Name": "stopped" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Shutting Down
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 32, "Name": "shutting-down" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Stopping Monitoring Disabled
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 64, "Name": "stopping" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Terminated Monitoring Disabled
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 48, "Name": "terminated" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Running Monitoring Disabled
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Pending Monitoring Disabled
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 0, "Name": "pending" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
Detection logic
Condition
not (State.Code gt "16" or Monitoring.State ne "disabled")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Monitoring.State | ne | disabled |
State.Code | gt | 16 |