Amazon EC2

Instance vCPU On-Demand Limit

This plugin determines if the number of EC2 On-Demand instances is close to the regional vCPU based limit

Risk Level: Low

Description

This plugin determines if the number of EC2 On-Demand instances is close to the regional vCPU based limit. AWS limits account to certain numbers of resources per region. Exceeding those limits could prevent resources from launching.

Configuration Parameters


Instance Limit Threshold: This parameter specifies the percentage limit of the number of vCPUs. An issue is created when the number of vCPUs exceeds the provided threshold limit.

By default, the value is 90, therefore it will return a vulnerability alert when the number of vCPUs will exceed 90% of the limit. 

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

In case, the number of vCPUs exceeds the current limit, new instances could not be launched. This can be a blocker for scaling up your infrastructure. Therefore, it is recommended to initiate a request to increase the vCPUs limit for the EC2 instances.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Limits section from the left navigation pane.
  4. Search for Running On-Demand and find the Current Limit for it.
  5. Now move to the Instances section from the left navigation pane.
  6. Select the active instance of the Instance type you are checking. Now scroll down to the Host and placement group and find the number of vCPUs consumption by the Instance.
  7. Now calculate the total vCPU of all the instances of the Instance type ou are investigating. If it exceeds the percentage of the total limit by the specified threshold, the vulnerability exists.
  8. Repeat steps for all the regions you want to investigate.

Steps for Remediation

Contact AWS support to increase the number of instances available.

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Limits section from the left navigation pane.
  4. Search for Running On-Demand and click on the radio button next to it to select for what type you wish to increase the limit.
  5. Click on Request Limit increase from the top right corner. It will redirect you to the AWS Support page.
  6. Mention the Region and the use case for which you want to increase the limit and send the request. You will be contacted by the support team for further action.
  7. Repeat steps for other regions as well.