Elastic Compute Cloud Should Have Recovery Point

​

More Info:

This rule checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. The rule is NON_COMPLIANT if the Amazon EC2 instance does not have a corresponding recovery point created within the specified time period.

​

Risk Level

High

​

Address

Configuration

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the misconfiguration of not having a recovery point for an AWS EC2 instance, you can set up automated backups using AWS Backup. Here is a step-by-step guide on how to do this using the AWS Management Console:

1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login to your AWS account.

2. Navigate to AWS Backup: In the AWS Management Console, search for “AWS Backup” in the services search bar and click on the AWS Backup service.

3. Create a Backup Plan:

   • Click on “Backup plans” in the left-hand navigation pane.
   • Click on the “Create backup plan” button.
   • Enter a name for your backup plan and a description (optional).
   • Under “Backup rule”, click on “Add rule”.
   • Configure the backup rule settings such as:
     • Backup frequency (e.g., daily)
     • Backup window
     • Lifecycle (how long to retain backups)
     • Backup vault (where to store the backups)
   • Click “Create plan” to save the backup plan.

4. Assign Backup Plan to EC2 Instance:

   • Go back to the AWS Backup console home page.
   • Click on “Protected resources” in the left-hand navigation pane.
   • Click on the “Add resource” button.
   • Select “EC2” as the resource type.
   • Select the specific EC2 instance(s) that you want to include in the backup plan.
   • Click “Add resource” to save the configuration.

5. Monitor Backups:

   • You can monitor the backups and their status under the “Protected resources” and “Backup plans” sections in the AWS Backup console.
   • You can also set up notifications for backup events by configuring Amazon CloudWatch Events.

By following these steps, you have successfully remediated the misconfiguration of not having a recovery point for your AWS EC2 instance by setting up automated backups using AWS Backup.

​

Using CLI

To remediate the misconfiguration of not having a recovery point for an AWS EC2 instance using AWS CLI, follow these steps:

1. Create a Snapshot of the EC2 Instance Volume:

   • Run the following AWS CLI command to create a snapshot of the EC2 instance volume:

     aws ec2 create-snapshot --volume-id <VOLUME_ID>
     

     Replace <VOLUME_ID> with the actual Volume ID of the EC2 instance.

2. Tag the Snapshot (Optional but recommended):

   • You can tag the snapshot for better organization. Run the following command to add tags to the snapshot:

     aws ec2 create-tags --resources <SNAPSHOT_ID> --tags Key=Name,Value=<SNAPSHOT_NAME>
     

     Replace <SNAPSHOT_ID> with the Snapshot ID generated in the previous step and <SNAPSHOT_NAME> with a descriptive name for the snapshot.

3. Verify the Snapshot:

   • You can verify the snapshot creation by running the following command:

     aws ec2 describe-snapshots --snapshot-ids <SNAPSHOT_ID>
     

     Replace <SNAPSHOT_ID> with the Snapshot ID obtained in step 1.

4. Automate Snapshot Creation (Optional):

   • To ensure regular snapshots are taken, you can set up a scheduled snapshot creation using AWS Lambda and CloudWatch Events.

By following these steps, you have successfully remediated the misconfiguration by creating a recovery point (snapshot) for the AWS EC2 instance using AWS CLI.

​

Using Python

To remediate the misconfiguration of not having a Recovery Point for an AWS EC2 instance using Python, you can create a new Amazon Machine Image (AMI) of the EC2 instance. Follow these steps:

1. Install Boto3: Boto3 is the AWS SDK for Python. You can install it using pip:

   pip install boto3
   

2. Create a new AMI: Use the following Python script to create a new AMI of the EC2 instance. Replace INSTANCE_ID with the ID of the EC2 instance for which you want to create a Recovery Point.

   import boto3
   
   # Initialize the EC2 client
   ec2 = boto3.client('ec2')
   
   # Define the instance ID for which you want to create a Recovery Point
   INSTANCE_ID = 'YOUR_INSTANCE_ID'
   
   # Create a new AMI of the instance
   response = ec2.create_image(
       InstanceId=INSTANCE_ID,
       Name='Recovery-Point-Image',
       NoReboot=True  # Set to True if you want to create the AMI without rebooting the instance
   )
   
   # Print the response
   print(response)
   

3. Run the Python script: Save the above script in a Python file (e.g., create_ami.py) and run it using the following command:

   python create_ami.py
   

4. Verify the AMI: Go to the AWS Management Console, navigate to the EC2 service, and check if a new AMI with the name ‘Recovery-Point-Image’ has been created. This AMI can be used to restore the EC2 instance to a previous state if needed.

By following these steps and running the Python script, you can create a Recovery Point for an AWS EC2 instance by creating a new Amazon Machine Image.