Skip to content

Detect EC2 instances without SSM enabled

So you have a fleet of EC2 instances running, and you need to patch them with SSM. You deploy the patches, but somehow, you missed some instances. It turns out that the SSM agent is not running on all your EC2 instances. This could be a disaster.

There is no direct way to find which EC2 instance is missing an agent. I created a little Python script that I wrapped in a Lambda function that will run on any cron schedule you define. If it detects any missing SSM agents, it will send you an alert via your Slack channel. The entire solution is is wrapped in a CloudFormation template that you can easily deploy.

  • To use the CloudFormation template, you will need to have a Slack Webhook already configured. If you haven’t done that yet, do that first, and record the webhook URL somewhere, we’ll use it in a sec.
  • Download the CloudFormation template
  • Log onto the AWS Console, change to the region where you’d like the function to run.
  • Yes, if you want to run the monitor on multiple regions, you will need to deploy the Lambda functions to those regions.
  • Create a new stack in the Cloudformation console. Use the file you downloaded above as the template.

You will be presented with the parameters screen.

detect-ec2-instances-without-ssm-enabled-1

  • Stack Name – Give a descriptive name – this is entirely up to you
  • SlackWebHook – Provide the Slack Webhook – if you haven’t set this up yet, go ahead and do that first (of course, this all assumes that you’re actually using Slack!)
  • additional – This is some additional text that will be added to the Slack message. In case you run the function on multiple accounts and multiple regions, you may want to specify where this is coming from.
  • cron – By default, the Lambda function will trigger daily at 12:00. You can modify this to suit your own requirements.

Click Next, click Next again. Right at the bottom, make sure to select the checkbox against the I acknowledge that AWS CloudFormation might create IAM resources option. The template will need this permission, as it will be creating a role for the Lambda function to retrieve the EC2 and SSM data. Click on “Create Stack” to create the stack.

And that’s it! Provided the Slack webhook is setup correctly, you will receive a Slack alert like this one.

detect-ec2-instances-without-ssm-enabled-2