How to monitor Unused Amazon EBS Volumes

EBS storage is a fundamental component of cloud storage, often used as the primary storage attached to EC2 instances. Even though an EBS volume is attached to an instance, it has a separate lifecycle. If we don’t monitor EBS storage for unused volumes, cloud costs can escalate significantly.

Unless the Delete on Termination option is selected during instance creation, terminating an EC2 instance detaches the EBS volume but doesn’t delete it. Specially in development and testing environments, where EC2 instances are frequently launched and terminated, this often results in a large number of unused EBS volumes.

These unused EBS volumes continue to accrue charges in your AWS account, regardless of whether they are being used.

So why Delete Unused EBS Volumes:

• EBS volumes incur charges based on storage usage. Removing unused volumes reduces unnecessary costs.
• Regularly cleaning up unused resources simplifies account management and reduces clutter.
• Unused volumes may contain sensitive or outdated data. Deleting these volumes can prevents accidental exposure.

In this blog, we will explore how to configure an AWS Config Rule and set up an automatic remediation action using AWS Systems Manager Automation to delete unused EBS volumes. Main goal of this blog is to bring awareness about unused EBS volumes in AWS environment. Deleting EBS volume can be optional step.

Note: It is not advisable to use this solution directly in production. It is always good to test solution and also decide what data strategy within team/business like retention period etc.

Solution Overview

1. Detects unused EBS volumes using the AWS-managed Config Rule.
2. Automatically creates a snapshot of the volume. I would recommend this step if you are going to delete unused volumes.
3. Deletes the unused volume.

Implementation Steps

You can refer this Github repo and deploy required resources using cloudformation.

After cloning this repo, you can deploy Cloudformation template via console. It takes two parameter:

• Config rule name - String
• IsSnapshotRequired - Boolean.

This Cloudformation will deploy:

• IAM Role which will be assumed during detection and remediation.
• AWS Config Rule with remediation action.

Remediation is AWS Managed automation document so we don't build our own as of now.

One you deployed cloudormation template, confirm config rule creation by going AWS Config console. AWS Config - Rules

Test the Solution

• To test the solution, I'm creating an EC2 instance with 2 EBS volumes attached. While creating an EC2 instance, make sure for EBS volume you select Delete on Termination value No. To see this option, you need to click Advance under Storage(volume) option while creation an EC2 instance.

• After creating an EC2 instance, in few minute AWS Config rule get evaluated automatically. You should able to see volumes are in Compliant state as they are attached to EC2 instance.

• Now delete EC2 instance. Once EC2 instance deleted, EBS volume status changed to Available. Since volumes are not attached to any EC2 instance now, config rule make these volumes Noncompliant and start deleting it by taking snapshot.

• You can check status of remediation by going to System Manager -> Automation

• Below you can also EBS snapshot has also been created.

Conclusion

I hope this blog gives you an idea how we can leverage AWS Config and AWS Systems Manager to manage not attached EBS volumes. If you don't want to delete volume, that can also done. You can just make volumes Noncompliant, just fetch list and send it to respective teams. Feel free to modify solution as per your need.

Stay secure, optimised in Cloud!!!