v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 24 Paravirtual EC2 instance types should not be used

Description

This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual.

Linux Amazon Machine Images (AMIs) use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.

Historically, PV guests had better performance than HVM guests in many cases, but because of enhancements in HVM virtualization and the availability of PV drivers for HVM AMIs, this is no longer true. For more information, see Linux AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.

Remediation

For information about how to update an EC2 instance to a new instance type, see Change the instance type in the Amazon EC2 User Guide for Linux Instances.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_24

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_24 --share

SQL

This control uses a named query:

ec2_instance_virtualization_type_no_paravirtual

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = vulnerability_patch_and_version_management
foundational_security_item_id = ec2_24
plugin = aws
service = AWS/EC2