🛡️ AWS EC2 Instance uses paravirtual Virtualization Type🟢
- Contextual name: 🛡️ Instance uses paravirtual Virtualization Type🟢
- ID:
/ce/ca/aws/ec2/instance-legacy-virtualization-type - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY,PERFORMANCE
Logic
Description
Description
Ensure that AWS EC2 instances are not configured with the legacy paravirtual (PV) virtualization type. Hardware Virtual Machine (HVM) is the current standard and provides significant performance and compatibility advantages.
Rational
HVM AMIs offer full hardware virtualization, allowing guest operating systems to run as if they were on native hardware. This reduces overhead, improves efficiency, and delivers superior performance. Additionally, many modern EC2 instance families and AWS features, such as Enhanced Networking and GPU support, are only available with HVM AMIs.
Impact
Instances running on PV virtualization may experience degraded performance compared to HVM-based instances. They are also ineligible for migration to newer, more cost-efficient instance families, which can lead to increased operational costs and prevent adoption of the latest AWS capabilities.
Migrating from PV to HVM requires creating new instances from HVM-based AMIs, which involves downtime and a planned migration effort.
... see more
Remediation
Remediation
If an instance was launched from a PV AMI, it cannot be directly changed to an HVM-only instance type. Migration to a new instance based on an HVM AMI is required.
Migration Process Overview
- Backup critical data from the original instance.
- Create a new instance using an HVM-compatible AMI that supports the desired instance type, and attach any EBS volumes that were attached to your original instance.
- Install your application on your new instance.
- Restore any data.
- If the original instance has an Elastic IP address, you must associate it with your new instance to ensure that your users can continue to use your application without interruption.
Data Preservation Considerations
- Instance Store Volumes
- Data stored on instance store volumes is lost when the instance is stopped or terminated.
- To retain this data, copy it to persistent storage before decommissioning the PV instance.
- Amazon EBS Volumes
- Amazon EC2 uses the
DeleteOnTerminationattribute to determine whether to delete or retain EBS volumes attached to the instance.... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.24] Amazon EC2 paravirtual instance types should not be used | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Infrastructure Modernization | 15 | no data | |||
| 💼 Cloudaware Framework → 💼 Workload Efficiency | 24 | no data | |||
| 💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 28 | no data | |
| 💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | 16 | no data | |||
| 💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 27 | no data | |||
| 💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | 28 | no data | ||
| 💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | 16 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration | 7 | 27 | no data | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency | 16 | no data |