AWS SSM Agent - Using the aws cli, is there a way to list all the AWS instances that are missing the SSM agent?

Question

I need to audit a large number of AWS accounts to determine which EC2 instances are missing the SSM agent. Then I need have all those instances and their tags outputted.

Running aws ssm describe-instance-information lists all the instances that have the agent installed and are running, but it doesn't list instances that are missing the agent or systems that might be turned off.

Answer 1

#!/bin/bash
for instance in $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --output text )
do
  managed=$(aws ssm describe-instance-information  --filters "Key=InstanceIds,Values=$instance" --query 'InstanceInformationList[*].[AssociationStatus]' --output text)
  if [[ "$managed" != "Success" ]]; then 
  managed="Not Managed"; 
fi
aws ec2 describe-instances --instance-id $instance --output text --query 'Reservations[*].Instances[*].[InstanceId, Placement.AvailabilityZone, [Tags[?Key==`Name`].Value] [0][0], [Tags[?Key==`App`].Value] [0][0], [Tags[?Key==`Product`].Value] [0][0], [Tags[?Key==`Team`].Value] [0][0] ]' 
echo "$managed"
done

Save and make the script executable, then run

script.sh > file.tsv

And finally import it into excel

Answer 2

This will print a list of all your instances with "success" printed beneath the ones which are managed.

for instance in $(aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --output text )
do;
  managed=$(aws ssm describe-instance-information  --filters "Key=InstanceIds,Values=$instance" --query 'InstanceInformationList[*].[AssociationStatus]' --output text)
  echo "$instance  $managed";
done

To add a simple but not well-formatted set of tags, replace the echo line with

if [[ "$managed" != "Success" ]]; then 
  managed="Fail"; 
fi
echo "$instance  $managed"
aws --profile GC-Staging ec2 describe-instances --instance-id $instance --query 'Reservations[*].Instances[*].[Tags[*].Value]' --output text