AWS best practices: Amazon Elastic Compute Cloud

Amazon Elastic Compute Cloud (EC2) is a prominent web service that provides computational capabilities using virtual machines or instances in the AWS cloud. The widespread use of EC2 compute resources in various organizations can be credited to the ease with which resources can be scaled.

What is Amazon EC2 used for?

Amazon EC2 is a powerhouse of computational features. The major ones include:

  • High scalability: Cloud resources in EC2 instances scale up or down automatically based on the varying loads on an application at a given time; this is thanks to AWS Auto Scaling.
  • Simple management: It’s easier to deploy virtual servers and manage cloud storage rather than handle the resource setup on-premises.
  • Pay-as-you-go: You only pay for the hours you’ve used.
  • Flexibility: Select any instance size, memory, CPU, or boot partition size according to the OS you choose.

AWS best practices for EC2 instances

Though EC2 boasts built-in security and better control over servers as the infrastructure scales, it becomes laborious to manage the complete fleet of resources in AWS infrastructure. To obtain the maximum benefit and fulfill the requirements of your target workloads, let's check out the best practices for EC2 instances.

1. Optimizing the usage of EC2 instances

Many organizations utilizing the AWS cloud leverage EC2 instances for their computational needs, which account for a significant portion of their cloud costs. Optimizing EC2 costs and capacity usage is crucial to minimize your AWS bill and maximize the value you get from the service.

(i) Get notified about idle or underutilized EC2 instances.

If EC2 instances are left idle, you may be in for a surprise when you get your AWS bill, since you'll be charged for any time an instance is running, even if it's just for a few hours. An efficient monitoring tool can notify you of idle EC2 instances by monitoring for times when the CPU utilization and the total number of bytes transmitted or received on all network interfaces is less than a threshold limit. And if the CPU utilization has been under your configured threshold for the past couple of hours, the instance may be underutilized. You might consider stopping or terminating such instances or scale down their size.

(ii) Alert on high instance utilization.

Monitor your EC2 instances to identify if their average daily CPU usage is over a certain threshold. By checking the performance of Amazon EC2, you can pinpoint instances that appear to be highly utilized, and change the instance size or add the instance to an Auto Scaling group.

2. Enhancing fault tolerance

(i) Protect against EC2 instance termination.

When an Auto Scaling group scales in, it will start terminating instances with the oldest launch configuration due to the default termination policy in AWS. Proactive AWS monitoring helps you check the configuration of EC2 instances to see if the termination process is enabled. Termination protection safeguards your instances from accidental deletion and ensures that the Auto Scaling policy doesn't terminate a specific EC2 instance while scaling in.

(ii) Automatically restart an EC2 instance or system when the status check fails.

AWS performs automatic system status checks and instance status checks to monitor the operational health of the AWS infrastructure hosting your Amazon EC2 instance. Improve your EC2 instance’s reliability by using an AWS monitoring tool to set up automated actions to restart a system or instance when the status check fails.

3. EC2 security best practices

(i) Audit IAM roles for Amazon EC2.

In a microservices architecture, the application running on EC2 instances needs to access resources running on other AWS services like S3, Lambda, or RDS. To provide access, you can either create and distribute AWS credentials (and take up the overhead of rotating or updating them in the future) or delegate permissions to the instances to make API requests using IAM roles. Leverage a monitoring tool to check the configuration of monitored EC2 instances and identify resources with no IAM roles. Using this information, you can choose to create an IAM role for your EC2 instance to delegate permissions or perform actions on your behalf.

(ii) Identify security groups that grant unrestricted access.

Protect your instances against threats like brute-force attacks, Denial-of-Service (DoS) attacks, and man-in-the-middle (MITM) attacks and prevent data loss. Ensure that your AWS monitoring tool can pinpoint the security groups that grant unrestricted internet access on the following ports: 20, 21, 22, 1433, 1434, 3306, 3389, 4333, 5432, and 5500. Implement EC2 instance-level access restrictions and expose TCP ports 80 and 443 to the internet to minimize the opportunities for an attacker.

Security standards that align with these best practices

Any organization must follow certain security standards and compliance certifications to align with the global regulatory agencies for cloud security. The Amazon EC2 best practices mentioned above cover the following standards:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • National Institute of Standards and Technology (NIST)
  • Australian Prudential Regulation Authority (APRA)
  • Monetary Authority of Singapore (MAS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)

Use these best practices to verify that your Amazon EC2 environment adheres to the list of security and compliance standards for public clouds.

Why is Amazon EC2 monitoring necessary?

An overwhelming majority of companies utilize Amazon EC2, as it allows rapid provisioning to meet any demand. Obtaining details on EC2 resource constraints or resource usage is mandatory to optimize your cloud ecosystem. Furthermore, both hypervisor-level and system-level metrics are essential to augment your CloudWatch data with OS context.

A proactive EC2 monitoring solution can help close gaps to prevent any impending threats and give you visibility into the performance, availability, memory, and disk metrics from a unified dashboard. You should look for a tool that provides basic infrastructure metrics via a native CloudWatch integration and system-level performance counters. That being said, you should leverage an advanced AI-powered AWS monitoring tool with a built-in best practice check.