EC2 instance is not EBS optimized

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EC2 instance is not EBS optimized

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 338b6cab-961d-4998-bb49-e5b6a11c9a5c

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

EC2 instances must be EBS-optimized to ensure consistent, high-performance EBS I/O and reduce contention between EBS traffic and other instance operations.

For Ansible EC2 tasks using the amazon.aws.ec2_instance or ec2_instance module, the ebs_optimized property must be defined and set to true for instance types that are not EBS-optimized by default. If instance_type is omitted, the default t2.micro is assumed. Instance types that are EBS-optimized by default are exempt and are not flagged. Tasks missing the ebs_optimized property or with ebs_optimized: false are reported.

Secure configuration example:

- name: Launch EBS-optimized EC2
  amazon.aws.ec2_instance:
    name: my-instance
    instance_type: m5.large
    image_id: ami-0123456789abcdef0
    vpc_subnet_id: subnet-29e63245
    ebs_optimized: true

Compliant Code Examples

- name: example4
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    image_id: ami-123456
    instance_type: t2.micro
    vpc_subnet_id: subnet-29e63245
    security_group: my_sg
    ebs_optimized: true
    network:
      assign_public_ip: false

- name: example5
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: m5.large
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    security_group: my_sg
    network:
      assign_public_ip: false

Non-Compliant Code Examples

- name: example2
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    security_group: default
    ebs_optimized: false
    network:
      assign_public_ip: false

- name: example3
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    security_group: default
    network:
      assign_public_ip: false

- name: example
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    security_group: default
    network:
      assign_public_ip: false

- name: example t3 with ebs disabled
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: t3.nano
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    security_group: my_sg
    ebs_optimized: false
    network:
      assign_public_ip: false