Detection rules › Panther
AWS EC2 Instance EBS Optimization
This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable.
Rule body yaml
AnalysisType: policy
Filename: aws_ec2_instance_ebs_optimization.py
PolicyID: "AWS.EC2.Instance.EBSOptimization"
DisplayName: "AWS EC2 Instance EBS Optimization"
Enabled: true
ResourceTypes:
- AWS.EC2.Instance
Tags:
- AWS
- Security Control
Severity: Low
Description: >
This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-ec2-instance-is-ebs-optimized
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html
Tests:
- Name: Instance Does Not Have EBS Optimization Enabled
ExpectedResult: false
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "c1.xlarge",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Has EBS Optimization Enabled
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": true,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "c1.xlarge",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
- Name: Instance Type Cannot Be Optimized
ExpectedResult: true
Resource:
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings":
[
{
"DeviceName": "/dev/xvda",
"Ebs":
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0b111222333444",
},
},
],
"CapacityReservationId": null,
"CapacityReservationSpecification":
{
"CapacityReservationPreference": "open",
"CapacityReservationTarget": null,
},
"ClientToken": null,
"CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 },
"EbsOptimized": false,
"ElasticGpuAssociations": null,
"ElasticInferenceAcceleratorAssociations": null,
"EnaSupport": true,
"HibernationOptions": { "Configured": false },
"Hypervisor": "xen",
"IamInstanceProfile": null,
"ImageId": "ami-11122233344555",
"InstanceId": "i-111222333444555",
"InstanceLifecycle": null,
"InstanceType": "t2.micro",
"KernelId": null,
"KeyName": "key-1",
"LaunchTime": "2019-01-01T00:00:00Z",
"Licenses": null,
"Monitoring": { "State": "disabled" },
"NetworkInterfaces":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Attachment":
{
"AttachTime": "2019-01-01T00:00:00Z",
"AttachmentId": "eni-attach-111222333444",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
},
"Description": "Primary network interface",
"Groups": [{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"InterfaceType": "interface",
"Ipv6Addresses": null,
"MacAddress": "de:ad:be:ef:00:00",
"NetworkInterfaceId": "eni-111222333444",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"PrivateIpAddresses":
[
{
"Association":
{
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIp": "52.0.0.0",
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-o.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
},
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-111222333444",
"VpcId": "vpc-111222333444",
},
],
"Placement":
{
"Affinity": null,
"AvailabilityZone": "us-west-2b",
"GroupName": null,
"HostId": null,
"PartitionNumber": null,
"SpreadDomain": null,
"Tenancy": "default",
},
"Platform": null,
"PrivateDnsName": "ip-10-0-0-0.us-west-2.compute.internal",
"PrivateIpAddress": "10.0.0.0",
"ProductCodes": null,
"PublicDnsName": "ec2-52-0-0-0.us-west-2.compute.amazonaws.com",
"PublicIpAddress": "52.0.0.0",
"RamdiskId": null,
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups":
[{ "GroupId": "sg-111222333444", "GroupName": "base" }],
"SourceDestCheck": true,
"SpotInstanceRequestId": null,
"SriovNetSupport": null,
"State": { "Code": 16, "Name": "running" },
"StateReason": null,
"StateTransitionReason": null,
"SubnetId": "subnet-111222333",
"Tags": { "TagOne": "True" },
"VirtualizationType": "hvm",
"Volumes":
[
{
"Attachments":
[
{
"AttachTime": "2019-01-01T00:00:00Z",
"DeleteOnTermination": true,
"Device": "/dev/xvda",
"InstanceId": "i-111222333",
"State": "attached",
"VolumeId": "vol-111222333",
},
],
"AvailabilityZone": "us-west-2b",
"CreateTime": "2019-01-01T00:00:00Z",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 8,
"SnapshotId": "snap-111222333444",
"State": "in-use",
"Tags": { "TagOne": "True" },
"VolumeId": "vol-111222333444",
"VolumeType": "gp2",
},
],
"VpcId": "vpc-111222333444",
}
Detection logic
Condition
not (InstanceType not in ["c1.xlarge", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "g2.2xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge", "m1.large", "m1.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.xlarge", "m3.2xlarge", "r3.xlarge", "r3.2xlarge", "r3.4xlarge"] or EbsOptimized eq "True")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
InstanceType | in | c1.xlarge, c3.2xlarge, c3.4xlarge, c3.xlarge, g2.2xlarge, i2.2xlarge, i2.4xlarge, i2.xlarge, m1.large, m1.xlarge, m2.2xlarge, m2.4xlarge, m3.2xlarge, m3.xlarge, r3.2xlarge, r3.4xlarge, r3.xlarge |
EbsOptimized | eq | True |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
InstanceType | in |
|