For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-ec2-not-ebs-optimized.md. A documentation index is available at /llms.txt.

EC2 instance is not EBS optimized

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-ec2-not-ebs-optimized

Provider: AWS

Platform: Ansible

Severity: Low

Category: Best Practices

Learn More

Description

EC2 instances must be EBS-optimized to ensure consistent, high-performance EBS I/O and reduce contention between EBS traffic and other instance operations.

For Ansible EC2 tasks using the amazon.aws.ec2_instance or ec2_instance module, the ebs_optimized property must be defined and set to true for instance types that are not EBS-optimized by default. If instance_type is omitted, the default t2.micro is assumed. Instance types that are EBS-optimized by default are exempt and are not flagged. Tasks missing the ebs_optimized property or with ebs_optimized: false are reported.

Secure configuration example:

- name: Launch EBS-optimized EC2
  amazon.aws.ec2_instance:
    name: my-instance
    instance_type: m5.large
    image_id: ami-0123456789abcdef0
    vpc_subnet_id: subnet-29e63245
    ebs_optimized: true

Compliant Code Examples

- name: Launch with ebs_optimized true
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    ebs_optimized: true
    network:
      assign_public_ip: false

- name: Launch instance type EBS-optimized by default
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: m5.large
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    network:
      assign_public_ip: false

- name: Launch with ebs_optimized false
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: m5.large
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    ebs_optimized: false
    network:
      assign_public_ip: false

Non-Compliant Code Examples

- name: Launch t2.micro without ebs_optimized
  amazon.aws.ec2_instance:
    name: app-server
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    network:
      assign_public_ip: false

- name: Launch t2.micro with ebs_optimized false
  amazon.aws.ec2_instance:
    name: app-server-2
    key_name: mykey
    instance_type: t2.micro
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    ebs_optimized: false
    network:
      assign_public_ip: false

- name: Launch instance default type without ebs_optimized
  amazon.aws.ec2_instance:
    name: app-server-3
    key_name: mykey
    image_id: ami-123456
    vpc_subnet_id: subnet-29e63245
    network:
      assign_public_ip: false