Skip to content

Instantly share code, notes, and snippets.

@mkornatz

mkornatz/ec2.md

Last active July 23, 2020 13:46
Show Gist options
  • Save mkornatz/f41052d424cf6ff26a18ca4c9dcf80b8 to your computer and use it in GitHub Desktop.
Save mkornatz/f41052d424cf6ff26a18ca4c9dcf80b8 to your computer and use it in GitHub Desktop.
Download ZIP
Addressing "Unknown" AWS Resources
Raw
ec2.md

EC2

Discover

These steps are for a Linux instance. Similar operations can be peformed on Windows, but I haven't administered Windows machines for about 10 years. So, some research is required for that.

  1. Examine the processes running on the instance
ps aux
  1. Figure out what ports are open and listening
netstat -tulpn
  1. Anything in the home directories of users that can point to what's going on?
cd /home
ll -h
  1. Tail logs of running procesess to determine if anything is still "chatting". Do this for an extended period of time.
tail -f /var/log/httpd/*.log
tail -f /var/log/nginx/*.log
tail -f /var/log/syslog
  1. Anything helpful in the ec2-metadata?
ec2-metadata

No SSH Access to the Instance?

In this case, you'll need to use a different approach to see what's on the instance. The easiest method is to take a snapshot of the EBS volume for the machine, create a new EBS volume from the snapshot, and then mount this new volume to an instance to which you do have access.

The solution shown in this Stackoverflow article gives good examples and info on attaching an EBS volume to an EC2 instance.

Document

  • Add an Applications tag to the resource and list all business-focused applications. For example, don’t use “nginx” but rather “Checkins”.
  • Update the Name and/or Description tag with a meaningful name

Resolve

  • Manually archive any potentially valuable data to long-term storage (NAS, S3, Dropbox, etc.)
  • Snapshot the EBS volume
  • Stop the instance and wait for someone to complain
Raw
s3.md

S3

Discover

  • Use the S3 web console to view all buckets.
  • Browse the buckets and view the data, making notes about what tools could be using the data
  • Use CloudTrail to view events related to the bucket (which IAM users are accessing the bucket)

Document

You could keep your notes about what is in the bucket in a README in the bucket itself! Then you'll know where they are, and so will other people.

Resolve

  1. Disable all access to the bucket
  2. Archive the data from the bucket to long-term storage (another S3 bucket, NAS, etc.)
  3. Delete the bucket after a month or two of no use
Raw
security-groups.md

Security Groups

Discover

Get a list of all security groups:

aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId'  --output text | tr '\t' '\n'

Get all security groups tied to instances:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text | tr '\t' '\n' | sort | uniq

Get all security groups tied to RDS:

aws rds describe-db-security-groups --query 'DBSecurityGroups[*].EC2SecurityGroups[*].EC2SecurityGroupId' --output text | tr '\t' '\n' | sort | uniq

Compare the first list (all security groups) to the other output. From this, you can determine which security groups are unused.

If you want to find information about a particular security group (replace <sec-group-id> with the id of the security group):

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<sec-group-id> --region us-east-1 --output json --query 'NetworkInterfaces[*]'.['NetworkInterfaceId','Description','PrivateIpAddress','VpcId']

Resolve

  • Unused security groups should be deleted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment