Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"run_id": "28558710550",
"target": "finops-aws",
"provider": "aws",
"check_id": "aws-finops-zero-vms-policy",
"check_file": "finops-aws/zero-vms-policy.yaml",
"check_name": "Active EC2 instance (zero-VMs policy)",
"query": "SELECT instanceId, instanceType, instanceState, placement\nFROM aws.ec2_native.instances\nWHERE region = 'ap-southeast-2'",
"severity": "HIGH",
"category": null,
"kind": null,
"region": "ap-southeast-2",
"suggested_remediation": {
"type": "manual",
"tool": null,
"preflight_query": null,
"sql_query": null,
"command": null,
"description": "Terminate the instance.\nstackql: DELETE FROM aws.ec2_native.instances WHERE region = '<region>' AND data__Identifier = '<instanceId>';"
},
"fields": {
"instanceId": "i-00eb8fccb08864940",
"instanceState": "",
"instanceType": "t3.micro",
"placement": "\n ap-southeast-2b\n apse2-az1\n \n default\n ",
"region": "ap-southeast-2"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Rationale — i-00eb8fccb08864940

**What & where:** This finding flags the running EC2 instance `i-00eb8fccb08864940` (`t3.micro`) in region `ap-southeast-2` under the zero-VMs policy, which mandates that no EC2 instances run in this account/region. Remediation would terminate the instance (`DELETE FROM aws.ec2_native.instances ... data__Identifier = 'i-00eb8fccb08864940'`).

**No automated query provided:** The upstream `suggested_remediation.type` is `manual`, so `preflight_query` and `sql_query` are `null`. `preflight.sql` and `remediation.sql` in this directory are therefore intentionally empty — there is nothing to execute automatically and any termination must be performed by a human operator using the templated command in the finding's `description`.

**Confidence:** Low-to-medium as an automated action. The policy match is clear, but `instanceState` is (empty / not reported), so the finding does not confirm the instance is actually running vs. stopped, and terminating is irreversible.

**Captain's call:** `t3.micro` is a comparatively large/expensive instance type; combined with placement `ap-southeast-2b apse2-az1 default`, this could well be a real workload rather than stray waste, so terminating blindly is risky. HIGH severity here reflects a policy violation, not a safe-to-delete signal — a human must confirm ownership, tags, and that no service depends on it before termination.

**Estimated monthly saving:** not provided in `fields.estimated_monthly_usd`.