Fix VPC DNS settings for SSM and CloudWatch agents
AWS Resource Type:
In order to identify all cost saving opportunities for EC2 instances, CloudFix requires SSM and CloudWatch agents to be running on each instance, and to be able to communicate with their respective AWS service endpoints. This FF updates VPC DNS settings to allow the SSM and CloudWatch agents to resolve the domain names of their service endpoints.
Note: this FF does not directly save costs, but will unlock cost saving opportunities for other FFs.
Criteria for identifying the opportunity:
The Finder uses the EC2 DescribeVpcs API with the filter state=available to list all available VPCs.
Next, the Finder uses the EC2 DescribeVpcAttribute API to fetch the configuration of each of the available VPCs. An opportunity is identified when either the enableDnsSupport or enableDnsHostnames attributes is set to false.
Potential savings (range in % on annual basis):
None - this FF does not directly save costs, but will unlock cost saving opportunities for other FFs.
What happens when the Fixer is executed?
If enableDnsSupport is disabled, the Fixer enables DNS support by calling the EC2 ModifyVpcAttribute API with the parameter EnableDnsSupport = true.
If enableDnsHostnames is disabled, the Fixer enables DNS hostnames by making another call to the EC2 ModifyVpcAttribute API with EnableDnsHostnames = true. A separate API call is required because both parameters cannot be set to true in the same API request.
Is it possible to rollback once CloudFix implements the fixer?
There is no automated rollback, but the changes can be reversed manually by using the EC2 ModifyVpcAttribute API to set the EnableDnsSupport and EnableDnsHostnames parameters back to their original values.
Can CloudFix implement the fix automatically once I accept the recommendation?
Does this fix require downtime?