More Info:

EC2 instances should have the required tenancy for security and regulatory compliance requirements.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Remediation

Using Console

EC2 Instance Tenancy refers to the physical host on which your EC2 instance runs. It can be either a shared tenancy or a dedicated tenancy. If the instance tenancy is set to default, it means that it is running on a shared host. To remediate this misconfiguration, follow the below steps:

  1. Login to your AWS console.

  2. Navigate to the EC2 dashboard.

  3. Select the EC2 instance for which you want to remediate the misconfiguration.

  4. Click on the “Actions” button and select “Instance Settings”.

  5. Select “Change Tenancy” from the drop-down menu.

  6. Choose the “Dedicated” option and click on “Apply”.

  7. Review the changes and click on “Confirm”.

  8. Your instance will be stopped and started again on a dedicated host.

Note: Changing the instance tenancy from default to dedicated may incur additional charges. Please review the pricing details before making the change.

Using CLI

The EC2 instance tenancy refers to the type of hardware on which your EC2 instances will run. There are two types of tenancy: shared and dedicated. Shared tenancy means that your instances will run on hardware that is shared with other AWS customers, while dedicated tenancy means that your instances will run on hardware that is dedicated to your account. Here’s how to remediate this issue for AWS using AWS CLI:

  1. Identify the EC2 instances that are using shared tenancy by running the following command:
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, InstanceType, Placement.Tenancy]' --output text

This command will list all instances along with their tenancy status.

  1. Stop the instance(s) that are using shared tenancy by running the following command:
aws ec2 stop-instances --instance-ids <instance-id>

Replace <instance-id> with the ID of the instance that you want to stop.

  1. Modify the instance(s) to use dedicated tenancy by running the following command:
aws ec2 modify-instance-attribute --instance-id <instance-id> --attribute instanceTenancy --value dedicated

Replace <instance-id> with the ID of the instance that you want to modify.

  1. Start the instance(s) that you stopped in step 2 by running the following command:
aws ec2 start-instances --instance-ids <instance-id>

Replace <instance-id> with the ID of the instance that you want to start.

  1. Verify that the instance(s) are now using dedicated tenancy by running the command in step 1 again. The Tenancy column should now show “dedicated” for the affected instance(s).

Note: Changing the tenancy of an instance requires stopping and starting the instance, which will result in downtime. You should plan accordingly to minimize the impact on your applications and users.

Using Python

The EC2 instance tenancy configuration refers to how the instance is placed on the underlying hardware of the host. There are two types of tenancy - shared and dedicated. Shared tenancy means that the instance is placed on hardware that is shared with other instances, while dedicated tenancy means that the instance is placed on hardware that is dedicated to it.

To remediate this misconfiguration for AWS using Python, you can use the AWS SDK for Python (boto3) to modify the instance tenancy configuration. Here are the steps:

  1. Install boto3 using the following command:
pip install boto3
  1. Import the boto3 library and create an EC2 client object:
import boto3

ec2 = boto3.client('ec2')
  1. Use the modify_instance_attribute method to modify the instance tenancy configuration. You will need to specify the instance ID and the tenancy type that you want to set. For example, to set the tenancy to dedicated, you can use the following code:
response = ec2.modify_instance_attribute(
    InstanceId='your_instance_id',
    Attribute='tenancy',
    Value='dedicated'
)
  1. Verify that the tenancy configuration has been updated by using the describe_instances method to retrieve the instance details:
response = ec2.describe_instances(InstanceIds=['your_instance_id'])
print(response['Reservations'][0]['Instances'][0]['Placement']['Tenancy'])

This should return ‘dedicated’ if the tenancy configuration has been successfully updated.

Note: You will need appropriate permissions to modify the instance tenancy configuration.

Additional Reading: