This policy is no longer being updated. The AWS Rightsize EC2 Instances policy now includes this functionality and is the recommended policy for obtaining these recommendations.
This Policy Template gathers AWS instances with inefficient utilization using CloudWatch CPU and Memory Metrics over a 30 day average and downsized after approval.
This policy identifies all running instances reporting performance metrics to CloudWatch whose CPU or Memory utilization is below the thresholds set in the Average used memory percentage and Average used CPU percentage parameters.
The Exclusion Tag Key parameter is a string value. Supply the Tag Key only. Tag Values are not analyzed and therefore are not need. If the exclusion tag key is used on an Instance, that Instance is presumed to be exempt from this policy.
Inefficient Instances are resized to the next smaller size within the same class. If the instance is already on the smallest size for the class it will not be resized. Resize only occurs after approval
If you get an N/A in a field you will need to install the CloudWatch Agent on the instance to get those metrics.
- Sends an email notification
- Downsizes instances after approval
This policy uses credentials for connecting to the cloud -- in order to apply this policy you must have a credential registered in the system that is compatible with this policy. If there are no credentials listed when you apply the policy, please contact your cloud admin and ask them to register a credential that is compatible with this policy. The information below should be consulted when creating the credential.
For administrators creating and managing credentials to use with this policy, the following information is needed:
Provider tag value to match this policy: aws , aws_sts
Required permissions in the provider:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRegions"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}This policy has the following input parameters required when launching the policy.
- Allowed/Denied Regions - Whether to treat regions parameter as allow or deny list.
- Regions - A list of regions to allow or deny for an AWS account. Please enter the regions code if SCP is enabled, see Available Regions in AWS; otherwise, the policy may fail on regions that are disabled via SCP. Leave blank to consider all the regions.
- Email addresses to notify - Email addresses of the recipients you wish to notify when new incidents are created
- Account Number - The Account number for use with the AWS STS Cross Account Role. Leave blank when using AWS IAM Access key and secret. It only needs to be passed when the desired AWS account is different than the one associated with the Flexera One credential. more
- Average used memory percentage - Set to -1 to ignore memory utilization
- Average used CPU percentage - Set to -1 to ignore CPU utilization
- Exclusion Tag Key:Value - Cloud native tag key to ignore instances. Format: Key:Value
- Automatic Actions - When this value is set, this policy will automatically take the selected action(s).
Please note that the "Automatic Actions" parameter contains a list of action(s) that can be performed on the resources. When it is selected, the policy will automatically execute the corresponding action on the data that failed the checks, post incident generation. Please leave it blank for manual action. For example if a user selects the "Downsize Instances" action while applying the policy, all the resources that didn't satisfy the policy condition will be downsized.
To enable windows support you will need to add the following to your cloudwatch config.json and restart cloudwatch agent
"metrics": {
"append_dimensions": {
"AutoScalingGroupName": "${aws:AutoScalingGroupName}",
"ImageId": "${aws:ImageId}",
"InstanceId": "${aws:InstanceId}",
"InstanceType": "${aws:InstanceType}"
}
}- AWS
By default, this policy calculates utilization over a 30 day period.
To calculate over a different period of time, you can update the policy template. Replace the 30 wherever you see var start_date = new Date(new Date().setDate(new Date().getDate() - 30)).toISOString(); with the new number of days you want to use.
Depending on the number of days you choose to collect metrics for, you may need to update the period property.For 30 days, we use the value of 2592000, which is 30 days in seconds.You will need to update the value wherever you see 'Period': "2592000",.For more details, see the official AWS CloudWatch API Documentation.
This policy template does not incur any cloud costs.