Delete unused Amazon Elastic Block Store (Amazon EBS) volumes by using AWS Config and AWS Systems Manager - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated resources

Delete unused Amazon Elastic Block Store (Amazon EBS) volumes by using AWS Config and AWS Systems Manager

Created by Sankar Sangubotla (AWS)

Environment: PoC or pilot

Technologies: Security, identity, compliance; Management & governance; Cost management

AWS services: AWS Config; AWS Systems Manager

Summary

The lifecycle of an Amazon Elastic Block Store (Amazon EBS) volume is typically independent from the lifecycle of the Amazon Elastic Compute Cloud (Amazon EC2) instance to which it is attached. Unless you select Delete on Termination option at the time of launch, terminating the EC2 instance detaches the EBS volume but doesn’t delete it. Especially in development and testing environments where it’s common to launch and terminate EC2 instances, this can result in a large number of unutilized EBS volumes. EBS volumes accrue charges in your Amazon Web Services (AWS) account, regardless of whether they’re being used. Deleting these volumes can help you optimize costs for your AWS accounts. In addition, deleting unused EBS volumes is a security best practice to prevent access to any unused, potentially sensitive, data in those volumes.

AWS Config can help you manually or automatically remediate noncompliant resources. This pattern describes how to configure an AWS Config rule and automatic remediation action that deletes unused Amazon EBS volumes in the account. The remediation action is a predefined runbook for Automation, a capability of AWS Systems Manager. You can configure the runbook to create a snapshot of the volume before deleting it.

Prerequisites and limitations

Prerequisites

  • An active AWS account.

  • AWS Identity and Access Management (IAM) permissions to run the AWSConfigRemediation-DeleteUnusedEBSVolume runbook for Automation, a capability of AWS Systems Manager. For more information, see Required IAM permissions in AWSConfigRemediation-DeleteUnusedEBSVolume.

  • One or more unused Amazon EBS volumes.

Limitations

  • The unused Amazon EBS volumes must be in the available state.

Architecture

Technology stack

  • AWS Config

  • Amazon EBS

  • Systems Manager

  • Systems Manager Automation

Target architecture

AWS Config starts a Systems Manager automation that deletes unused EBS volumes.

  1. The AWS Config rule evaluates the EBS volumes.

  2. The rule returns a list of compliant and noncompliant resources. EBS volumes that are in the available state, which are unused volumes, are determined to be noncompliant.

  3. AWS Config automatically starts the Automation runbook.

  4. If configured, Systems Manager creates snapshots of the unused volumes before deleting them.

  5. Systems Manager deletes the unused EBS volumes.

Automation and scale

You can apply this solution across all accounts in your organization. For more information, see Managing rules across all accounts in your organization in the AWS Config documentation.

Tools

  • AWS Config provides a detailed view of the resources in your AWS account and how they’re configured. It helps you identify how resources are related to one another and how their configurations have changed over time.

  • AWS Systems Manager helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale.

  • AWS Systems Manager Automation simplifies common maintenance, deployment, and remediation tasks for many AWS services.

Epics

TaskDescriptionSkills required

Create a role for the Automation runbook.

Create a role called AssumeRole. Systems Manager Automation uses this role to run the runbook. For instructions, see Configuring a service role (assume role) access for automations in the Systems Manager documentation.

AWS systems administrator

Turn on the AWS Config recorder.

Follow the instructions in Setting Up AWS Config with the Console in the AWS Config documentation to make sure that AWS Config is running and it is configured to record Amazon EBS volumes.

AWS systems administrator

Run the rule.

  1. Follow the instructions in Evaluating your resources in the AWS Config documentation to run the ec2-volume-inuse-check rule. Wait for the evaluation to complete.

  2. On the Rules page, select the ec2-volume-inuse-check rule, and then for Resources in scope, choose Noncompliant.

  3. Confirm that there are one or more unused Amazon EBS volumes in the evaluation results.

AWS systems administrator
TaskDescriptionSkills required

Add the automatic remediation action.

  1. On the Rules page, select the ec2-volume-inuse-check rule.

  2. Follow the instructions in Setting up automatic remediation in the AWS Config documentation. Note the following:

  3. In the Remediation action details section, choose AWSConfigRemediation-DeleteUnusedEBSVolume.

    • Select Resource ID parameter, and then in the list, choose VolumeId. At runtime, this parameter is substituted with the ID of the noncompliant EBS volume.

    • In the Parameters section, provide values for the following parameters:

      • CreateSnapshot – (Optional) If set to true, the automation creates a snapshot of the EBS volume before it’s deleted.

      • AutomationAssumeRole – Enter the Amazon Resource Name (ARN) of the AssumeRole service role that you created previously.

AWS systems administrator

Test the automatic remediation for the AWS Config rule.

  1. In the AWS Config Console, on the Rules page, select the ec2-volume-inuse-check rule.

  2. In the Actions menu, choose Re-evaluate.

  3. Allow the rule to evaluate the non-compliant resources, and then confirm that the unused Amazon EBS volumes are deleted.

AWS systems administrator

Troubleshooting

IssueSolution

AWS Config doesn’t accurately reflect the resource state.

Sometimes, AWS Config doesn’t update the state of the resources. Turn the recorder off and then turn it back on again on the AWS Config Settings page. The recorder captures the state of the resources. For newly created or deleted resources, it might take some time for the recorder to reflect the current state. For more information about EBS volume states, see Volume state in the Amazon EC2 documentation.

Related resources