From 98a3676ef6d3929cea1798e2e0d97907ff681e92 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 2 Jul 2026 01:23:12 +0000 Subject: [PATCH] Propose remediation: 12-aws-finops-zero-vms-policy-i-00eb8fccb08864940 (run 28558710550.1) --- .../finding.json | 28 +++++++++++++++++++ .../preflight.sql | 0 .../rationale.md | 11 ++++++++ .../remediation.sql | 0 4 files changed, 39 insertions(+) create mode 100644 remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/finding.json create mode 100644 remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/preflight.sql create mode 100644 remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/rationale.md create mode 100644 remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/remediation.sql diff --git a/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/finding.json b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/finding.json new file mode 100644 index 0000000..6e43880 --- /dev/null +++ b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/finding.json @@ -0,0 +1,28 @@ +{ + "run_id": "28558710550", + "target": "finops-aws", + "provider": "aws", + "check_id": "aws-finops-zero-vms-policy", + "check_file": "finops-aws/zero-vms-policy.yaml", + "check_name": "Active EC2 instance (zero-VMs policy)", + "query": "SELECT instanceId, instanceType, instanceState, placement\nFROM aws.ec2_native.instances\nWHERE region = 'ap-southeast-2'", + "severity": "HIGH", + "category": null, + "kind": null, + "region": "ap-southeast-2", + "suggested_remediation": { + "type": "manual", + "tool": null, + "preflight_query": null, + "sql_query": null, + "command": null, + "description": "Terminate the instance.\nstackql: DELETE FROM aws.ec2_native.instances WHERE region = '' AND data__Identifier = '';" + }, + "fields": { + "instanceId": "i-00eb8fccb08864940", + "instanceState": "", + "instanceType": "t3.micro", + "placement": "\n ap-southeast-2b\n apse2-az1\n \n default\n ", + "region": "ap-southeast-2" + } +} diff --git a/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/preflight.sql b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/preflight.sql new file mode 100644 index 0000000..e69de29 diff --git a/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/rationale.md b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/rationale.md new file mode 100644 index 0000000..447c16c --- /dev/null +++ b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/rationale.md @@ -0,0 +1,11 @@ +# Rationale — i-00eb8fccb08864940 + +**What & where:** This finding flags the running EC2 instance `i-00eb8fccb08864940` (`t3.micro`) in region `ap-southeast-2` under the zero-VMs policy, which mandates that no EC2 instances run in this account/region. Remediation would terminate the instance (`DELETE FROM aws.ec2_native.instances ... data__Identifier = 'i-00eb8fccb08864940'`). + +**No automated query provided:** The upstream `suggested_remediation.type` is `manual`, so `preflight_query` and `sql_query` are `null`. `preflight.sql` and `remediation.sql` in this directory are therefore intentionally empty — there is nothing to execute automatically and any termination must be performed by a human operator using the templated command in the finding's `description`. + +**Confidence:** Low-to-medium as an automated action. The policy match is clear, but `instanceState` is (empty / not reported), so the finding does not confirm the instance is actually running vs. stopped, and terminating is irreversible. + +**Captain's call:** `t3.micro` is a comparatively large/expensive instance type; combined with placement `ap-southeast-2b apse2-az1 default`, this could well be a real workload rather than stray waste, so terminating blindly is risky. HIGH severity here reflects a policy violation, not a safe-to-delete signal — a human must confirm ownership, tags, and that no service depends on it before termination. + +**Estimated monthly saving:** not provided in `fields.estimated_monthly_usd`. diff --git a/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/remediation.sql b/remediations/proposed/28558710550-1/12-aws-finops-zero-vms-policy-i-00eb8fccb08864940/remediation.sql new file mode 100644 index 0000000..e69de29