3

I need to audit a large number of AWS accounts to determine which EC2 instances are missing the SSM agent. Then I need have all those instances and their tags outputted.

Running aws ssm describe-instance-information lists all the instances that have the agent installed and are running, but it doesn't list instances that are missing the agent or systems that might be turned off.

Kayotic
  • 97
  • 2
  • 10
  • Worth starting with AWS Config to understand how it can help you view compliance history and SSM State Manager associations. – jarmod Feb 05 '20 at 22:54
  • 1
    There probably isn't a way to use the AWS CLI to list agents that are missing the agent, but you could use it to list _all_ instances and then you could just subtract the instances with the agent. (eg in an Excel spreadsheet or with a little script) – John Rotenstein Feb 06 '20 at 00:05

2 Answers2

3
#!/bin/bash
for instance in $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --output text )
do
  managed=$(aws ssm describe-instance-information  --filters "Key=InstanceIds,Values=$instance" --query 'InstanceInformationList[*].[AssociationStatus]' --output text)
  if [[ "$managed" != "Success" ]]; then 
  managed="Not Managed"; 
fi
aws ec2 describe-instances --instance-id $instance --output text --query 'Reservations[*].Instances[*].[InstanceId, Placement.AvailabilityZone, [Tags[?Key==`Name`].Value] [0][0], [Tags[?Key==`App`].Value] [0][0], [Tags[?Key==`Product`].Value] [0][0], [Tags[?Key==`Team`].Value] [0][0] ]' 
echo "$managed"
done

Save and make the script executable, then run

script.sh > file.tsv

And finally import it into excel

Kayotic
  • 97
  • 2
  • 10
2

This will print a list of all your instances with "success" printed beneath the ones which are managed.

for instance in $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --output text )
do;
  managed=$(aws ssm describe-instance-information  --filters "Key=InstanceIds,Values=$instance" --query 'InstanceInformationList[*].[AssociationStatus]' --output text)
  echo "$instance  $managed";
done

To add a simple but not well-formatted set of tags, replace the echo line with 

if [[ "$managed" != "Success" ]]; then 
  managed="Fail"; 
fi
echo "$instance  $managed"
aws --profile GC-Staging ec2 describe-instances --instance-id $instance --query 'Reservations[*].Instances[*].[Tags[*].Value]' --output text
andrew lorien
  • 2,310
  • 1
  • 24
  • 30
  • 1
    Thanks! I took what you had and made a couple of changes to pull certain tags and adjust the formatting. Then run the script and pipe it to a tsv file. Imported into excel and it's all nice and pretty. – Kayotic Mar 26 '20 at 01:51