EC2.4: Long-stopped instances are abandoned attack surface

What does AWS Security Hub EC2.4 check?

EC2.4 fails for any EC2 instance that has been in the stopped state longer than the allowed threshold — 30 days by default. It is backed by the AWS Config rule ec2-stopped-instance, which reads the timestamp embedded in StateTransitionReason and compares it against the AllowedDays parameter.

Why does EC2.4 matter?

A long-stopped instance is a frozen attack surface: it has missed every OS and package patch, its baked-in credentials and SSH keys may be stale, and orchestration tooling can restart it without a human decision — putting an unpatched, unmonitored host back on the network. It is also a quiet cost, since the attached EBS volumes keep billing while the instance does nothing.

How do I fix EC2.4?

1. List stopped instances with their LaunchTime, StateTransitionReason, and owner tags, then classify each as intentionally held or abandoned.
2. Snapshot every attached volume with create-snapshots before anything destructive, tagged so the data is recoverable.
3. Deregister any AMIs derived from the instance, then terminate it so the EBS billing stops and the finding clears.
4. Tune the AWS Config rule's AllowedDays and add a tagging policy with ExpiresAt so the queue cannot refill.

# Snapshot, deregister, terminate — the safe retire flow for one instance.
INSTANCE=i-0a1b2c3d4e5f60002

aws ec2 create-snapshots \
  --instance-specification InstanceId=$INSTANCE,ExcludeBootVolume=false \
  --description "EC2.4 cleanup pre-terminate $INSTANCE" \
  --tag-specifications "ResourceType=snapshot,Tags=[{Key=Purpose,Value=ec2.4-cleanup},{Key=SourceInstance,Value=$INSTANCE}]"

# Find any AMIs derived from this instance and deregister them.
aws ec2 describe-images --owners self \
  --filters Name=tag:SourceInstance,Values=$INSTANCE \
  --query 'Images[].ImageId' --output text | \
  xargs -n1 -r aws ec2 deregister-image --image-id

aws ec2 terminate-instances --instance-ids $INSTANCE