EC2 Detailed Monitoring Enabled
Overview
This check verifies that your EC2 instances have CloudWatch detailed monitoring enabled. With detailed monitoring, CloudWatch collects metrics at 1-minute intervals instead of the default 5-minute intervals.
More frequent metrics help you detect performance issues faster and respond to security threats before they escalate. Think of it as checking your car's dashboard every minute versus every five minutes while driving on a busy highway.
Risk
Without detailed monitoring, you lose visibility into your EC2 instances:
- Delayed threat detection: 5-minute gaps can miss rapid CPU spikes from crypto-mining malware or brute-force attacks
- Slower incident response: By the time you notice an issue, the damage may already be done
- Missed performance anomalies: Brief network or disk spikes that indicate problems may not appear in 5-minute averages
- Data exfiltration blindspots: Unusual network activity patterns are harder to detect with coarse-grained metrics
- Higher investigation costs: When incidents occur, the lack of granular data makes root cause analysis more difficult
This check has Low severity since it enhances monitoring rather than addressing a direct vulnerability, but it is an important part of defense-in-depth.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to modify EC2 instances
- The instance ID(s) of the EC2 instances you want to enable detailed monitoring on
Required IAM permissions
Your IAM user or role needs these permissions:
ec2:MonitorInstances- Enable detailed monitoringec2:DescribeInstances- View instance details
Example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:MonitorInstances",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
}
AWS Console Method
- Go to the EC2 Console in us-east-1
- Click Instances in the left sidebar
- Select the instance you want to enable detailed monitoring for (check the box next to it)
- Click Actions at the top of the page
- Choose Monitor and troubleshoot
- Click Manage detailed monitoring
- Check the box next to Enable
- Click Save
The monitoring state will change from "disabled" to "pending" and then to "enabled" within a few minutes.
To enable for multiple instances at once:
- Select multiple instances before clicking Actions
- Follow the same steps - the change applies to all selected instances
AWS CLI (optional)
Enable Detailed Monitoring for a Single Instance
aws ec2 monitor-instances \
--instance-ids i-1234567890abcdef0 \
--region us-east-1
Replace i-1234567890abcdef0 with your actual instance ID.
Enable for Multiple Instances
aws ec2 monitor-instances \
--instance-ids i-1234567890abcdef0 i-0987654321fedcba0 \
--region us-east-1
Expected Output
{
"InstanceMonitorings": [
{
"InstanceId": "i-1234567890abcdef0",
"Monitoring": {
"State": "pending"
}
}
]
}
The state will transition from pending to enabled within a few minutes.
Enable for All Running Instances
To enable detailed monitoring on all running instances in a region:
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].InstanceId' \
--output text \
--region us-east-1 | \
xargs -n 50 aws ec2 monitor-instances --region us-east-1 --instance-ids
CloudFormation (optional)
When creating EC2 instances with CloudFormation, set the Monitoring property to true:
AWSTemplateFormatVersion: '2010-09-09'
Description: EC2 instance with detailed monitoring enabled
Parameters:
InstanceType:
Type: String
Default: t3.micro
Description: EC2 instance type
AmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
Description: AMI ID (defaults to latest Amazon Linux 2)
SubnetId:
Type: AWS::EC2::Subnet::Id
Description: Subnet to launch the instance in
Resources:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
ImageId: !Ref AmiId
SubnetId: !Ref SubnetId
Monitoring: true
Tags:
- Key: Name
Value: instance-with-detailed-monitoring
Outputs:
InstanceId:
Description: Instance ID
Value: !Ref EC2Instance
Deploy with:
aws cloudformation deploy \
--template-file ec2-detailed-monitoring.yaml \
--stack-name ec2-detailed-monitoring \
--parameter-overrides \
SubnetId=subnet-12345678 \
--region us-east-1
Note: CloudFormation cannot enable detailed monitoring on existing instances. For existing instances, use the Console or CLI methods above.
Terraform (optional)
When creating EC2 instances with Terraform, set the monitoring argument to true:
# Variables
variable "instance_type" {
description = "EC2 instance type"
type = string
default = "t3.micro"
}
variable "subnet_id" {
description = "Subnet ID to launch the instance in"
type = string
}
# Data source for latest Amazon Linux 2 AMI
data "aws_ami" "amazon_linux_2" {
most_recent = true
owners = ["amazon"]
filter {
name = "name"
values = ["amzn2-ami-hvm-*-x86_64-gp2"]
}
}
# EC2 instance with detailed monitoring
resource "aws_instance" "example" {
ami = data.aws_ami.amazon_linux_2.id
instance_type = var.instance_type
subnet_id = var.subnet_id
# Enable detailed monitoring
monitoring = true
tags = {
Name = "instance-with-detailed-monitoring"
}
}
# Output
output "instance_id" {
description = "Instance ID"
value = aws_instance.example.id
}
Deploy with:
terraform init
terraform plan -var="subnet_id=subnet-12345678"
terraform apply -var="subnet_id=subnet-12345678"
To update existing instances managed by Terraform:
If you have existing Terraform-managed instances without detailed monitoring, add monitoring = true to the resource and run terraform apply. Terraform will enable detailed monitoring without replacing the instance.
Verification
After enabling detailed monitoring, verify the change took effect:
- Go to the EC2 Console in us-east-1
- Click Instances in the left sidebar
- Select the instance you modified
- In the Details tab, scroll down to Monitoring
- Confirm the Monitoring field shows enabled
Alternatively, click the Monitoring tab for the instance and verify that metrics are now updating at 1-minute intervals (this may take a few minutes to appear).
CLI verification commands
Check detailed monitoring status for a specific instance:
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query 'Reservations[*].Instances[*].[InstanceId,Monitoring.State]' \
--output table \
--region us-east-1
Expected output:
-----------------------------------------
| DescribeInstances |
+----------------------+----------------+
| i-1234567890abcdef0 | enabled |
+----------------------+----------------+
List all instances that still have detailed monitoring disabled:
aws ec2 describe-instances \
--filters "Name=monitoring-state,Values=disabled" \
--query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0]]' \
--output table \
--region us-east-1
Additional Resources
- AWS Documentation: Enable or Disable Detailed Monitoring for Your Instances
- AWS Documentation: Amazon EC2 Metrics and Dimensions
- AWS CloudWatch Pricing - Detailed monitoring has additional costs
- AWS Well-Architected Framework: Monitoring
Notes
-
Cost impact: Detailed monitoring incurs additional CloudWatch charges. As of this writing, detailed monitoring costs approximately $2.10 per instance per month (7 metrics at 1-minute intervals). Basic monitoring is free.
-
No downtime: Enabling detailed monitoring does not require stopping or restarting the instance. The change takes effect immediately.
-
New instances: When launching new instances, you can enable detailed monitoring at launch time. This is a checkbox in the Console launch wizard or the
Monitoringproperty in CloudFormation/Terraform. -
Auto Scaling groups: If you use Auto Scaling, configure detailed monitoring in your launch template or launch configuration so all new instances automatically have it enabled.
-
Priority workloads: Focus on enabling detailed monitoring for:
- Production instances
- Internet-facing instances
- Instances running critical applications
- Auto Scaling group members where rapid scaling decisions matter
-
Combine with alarms: Detailed monitoring is most valuable when paired with CloudWatch alarms. Consider setting up alarms for CPU spikes, network anomalies, and disk utilization to take full advantage of the 1-minute metrics.
-
CloudTrail integration: Enabling detailed monitoring is logged in CloudTrail as a
MonitorInstancesevent, providing an audit trail of who made the change and when.