Overview

A config rule that checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with commas.

This config rule supports Auto Remediation actions using SSM Automation triggered with CloudWatch Events. The following actions are supported:

  • Stop Instance: Non-compliant instances are stopped.
  • Terminate Instance: Non-compliant instances are terminated. (Be careful when selecting this option to not accidentally terminate existing resources).

In addition to an action, a notification using an SNS Topic can be added to send a custom message when a non-compliant resource is detected. (Make sure to update the email address from the default email@example.com)

Configuration Templates

Items
1
Size
0.7 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: desired-instance-tenancy
      Description: >-
        A config rule that checks instances for specified tenancy. Specify AMI
        IDs to check instances that are launched from those AMIs or specify host
        IDs to check whether instances are launched on those Dedicated Hosts.
        Separate multiple ID values with commas.
      Scope:
        ComplianceResourceTypes:
          - 'AWS::EC2::Instance'
      Source:
        Owner: AWS
        SourceIdentifier: DESIRED_INSTANCE_TENANCY
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Rule Parameters

 
  
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: