EC2.24: Paravirtual instance types should not be used

What does AWS Security Hub EC2.24 check?

EC2.24 flags any instance whose virtualizationType is paravirtual (PV) rather than hardware virtual machine (HVM). The virtualization type is read from describe-instances; it is baked into the AMI and the instance at launch and cannot be changed.

Why does EC2.24 matter?

PV is the legacy Xen virtualization mode that predates CPU hardware extensions. AWS's own guidance is that it no longer wins on performance, and a PV instance cannot use enhanced networking, SR-IOV, NVMe storage, GPUs, or the Nitro hypervisor — it is stuck on a shrinking pool of old families (m1, m3, c1, t1). The longer it runs, the more likely it becomes a forced, urgent migration when AWS retires the family.

How do I fix EC2.24?

1. Inventory every paravirtual instance across regions with its InstanceType, source AMI, and owner tag.
2. Pick a current-generation HVM target family (m1/m3 to m6i/m7i, c1/c3 to c6i/c7i, t1 to t3/t4g) and the right replacement size.
3. Snapshot data volumes for rollback, rebuild the workload on an HVM AMI on the new family — ideally by re-running your IaC — validate, then cut over.
4. Add an SCP or IAM condition denying RunInstances on PV-capable families and an AWS Config rule to keep the audit clean.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29