EC2 not EBS optimized

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EC2 not EBS optimized

Metadata

Id: cloudformation-aws-ec2-not-ebs-optimized

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

EC2 instances should be EBS-optimized to ensure dedicated throughput and reduced I/O contention between instance network traffic and Amazon EBS volumes. This improves disk performance, lowers latency spikes, and helps maintain application availability under load.

For AWS::EC2::Instance resources, the Properties.EbsOptimized property must be defined and set to true for instance types that are not EBS-optimized by default. Resources missing EbsOptimized or with EbsOptimized set to false will be flagged. Instance types that are EBS-optimized by default are exempt.

Note: If InstanceType is omitted, CloudFormation defaults to m1.small, which is not EBS-optimized by default and should have EbsOptimized set to true explicitly set.

Secure configuration example:

MyInstance:
  Type: AWS::EC2::Instance
  Properties:
    InstanceType: m5.large
    EbsOptimized: true

Compliant Code Examples

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
        - DeviceName: "/dev/sdk"
          NoDevice: {}
      EbsOptimized: true

{
  "Resources": {
    "MyEC2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sdm",
            "Ebs": {
              "VolumeType": "io1",
              "Iops": "200",
              "DeleteOnTermination": "false",
              "VolumeSize": "20"
            }
          },
          {
            "DeviceName": "/dev/sdk",
            "NoDevice": {}
          }
        ],
        "EbsOptimized": true
      }
    }
  }
}

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.nano
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
        - DeviceName: "/dev/sdk"
          NoDevice: {}

Non-Compliant Code Examples

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
        - DeviceName: "/dev/sdk"
          NoDevice: {}

{
  "Resources": {
    "MyEC2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-79fd7eee",
        "KeyName": "testkey",
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sdm",
            "Ebs": {
              "VolumeType": "io1",
              "Iops": "200",
              "DeleteOnTermination": "false",
              "VolumeSize": "20"
            }
          },
          {
            "DeviceName": "/dev/sdk",
            "NoDevice": {}
          }
        ]
      }
    }
  }
}

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
        - DeviceName: "/dev/sdk"
          NoDevice: {}
      EbsOptimized: false