diff --git a/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/finding.json b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/finding.json new file mode 100644 index 0000000..8fd554c --- /dev/null +++ b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/finding.json @@ -0,0 +1,28 @@ +{ + "run_id": "28520394302", + "target": "finops-aws", + "provider": "aws", + "check_id": "aws-finops-zero-vms-policy", + "check_file": "finops-aws/zero-vms-policy.yaml", + "check_name": "Active EC2 instance (zero-VMs policy)", + "query": "SELECT instanceId, instanceType, instanceState, placement\nFROM aws.ec2_native.instances\nWHERE region = 'ap-southeast-2'", + "severity": "HIGH", + "category": null, + "kind": null, + "region": "ap-southeast-2", + "suggested_remediation": { + "type": "manual", + "tool": null, + "preflight_query": null, + "sql_query": null, + "command": null, + "description": "Terminate the instance.\nstackql: DELETE FROM aws.ec2_native.instances WHERE region = '' AND data__Identifier = '';" + }, + "fields": { + "instanceId": "i-038ae06cdc98be7d9", + "instanceState": "", + "instanceType": "t3a.xlarge", + "placement": "\n ap-southeast-2a\n apse2-az3\n \n default\n ", + "region": "ap-southeast-2" + } +} diff --git a/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/preflight.sql b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/preflight.sql new file mode 100644 index 0000000..e69de29 diff --git a/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/rationale.md b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/rationale.md new file mode 100644 index 0000000..c9c17ae --- /dev/null +++ b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/rationale.md @@ -0,0 +1,7 @@ +(a) This flags the active EC2 instance `i-038ae06cdc98be7d9` (instance type `t3a.xlarge`) in region `ap-southeast-2` for termination under the zero-VMs policy. + +(b) Confidence: medium — the zero-VMs policy is a blanket rule (any running instance is a violation), so detection is reliable, but the remediation is marked `manual` with no preflight or SQL supplied, meaning termination must be performed and double-checked by a human rather than executed automatically. + +(c) Captain's call: a `t3a.xlarge` is a comparatively large instance that may back a real workload, the reported `instanceState` is empty, so we cannot confirm from the data whether it is running, stopped, or transitioning; placement is `ap-southeast-2a apse2-az3 default`, and the instance carries no Name tag, so a deterministic check cannot tell whether this is shared/production infrastructure. Terminating an EC2 instance is destructive and irreversible for local (instance-store) data — a human must verify ownership and take backups before acting. + +(d) No estimated monthly saving (`estimated_monthly_usd`) is present in the finding fields. diff --git a/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/remediation.sql b/remediations/proposed/28520394302-1/11-aws-finops-zero-vms-policy-i-038ae06cdc98be7d9/remediation.sql new file mode 100644 index 0000000..e69de29