Listen to this Post
AWS offers a powerful suite of managed and serverless services that enable event-driven architectures without direct server management. However, when EC2 instances are necessary, tracking their health, patching, and sizing becomes critical. Pawan Sawalani demonstrates an effective solution using AWS Config, EventBridge, Lambda, and CDK to monitor EC2 instances not managed by AWS Systems Manager (SSM) and alert teams for remediation.
Key Components:
- AWS Config: Tracks resource configurations and compliance.
- EventBridge: Triggers events based on AWS Config rule evaluations.
- Lambda: Processes events and sends notifications.
- CDK (Cloud Development Kit): Deploys infrastructure as code.
You Should Know:
1. AWS Config Rule Setup
Create a custom AWS Config rule to check if EC2 instances are managed by SSM:
aws configservice put-config-rule --config-rule file://ssm-managed-rule.json
Example `ssm-managed-rule.json`:
{
"ConfigRuleName": "ec2-ssm-managed-check",
"Description": "Checks if EC2 instances are managed by SSM",
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Instance"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EC2_INSTANCE_MANAGED_BY_SSM"
}
}
2. EventBridge Rule for Non-Compliant Instances
Configure an EventBridge rule to trigger when AWS Config reports non-compliance:
aws events put-rule --name "EC2-SSM-NonCompliant" --event-pattern file://event-pattern.json
Example `event-pattern.json`:
{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"configRuleName": ["ec2-ssm-managed-check"],
"complianceType": ["NON_COMPLIANT"]
}
}
3. Lambda Function for Alerts
Deploy a Lambda function (Python) to process EventBridge events and send Slack/email alerts:
import boto3
def lambda_handler(event, context):
non_compliant_instances = event['detail']['resourceId']
sns = boto3.client('sns')
sns.publish(
TopicArn='arn:aws:sns:us-east-1:123456789012:EC2-SSM-Alerts',
Message=f"EC2 Instance {non_compliant_instances} is not managed by SSM!"
)
4. Deploy with AWS CDK
Use CDK to automate the stack deployment:
import as cdk from 'aws-cdk-lib';
import as config from 'aws-cdk-lib/aws-config';
import as events from 'aws-cdk-lib/aws-events';
import as lambda from 'aws-cdk-lib/aws-lambda';
export class EC2SSMAlertStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// AWS Config Rule
new config.ManagedRule(this, 'SSMManagedRule', {
identifier: 'EC2_INSTANCE_MANAGED_BY_SSM',
});
// Lambda Function
const alertLambda = new lambda.Function(this, 'AlertLambda', {
runtime: lambda.Runtime.PYTHON_3_9,
handler: 'index.lambda_handler',
code: lambda.Code.fromAsset('lambda'),
});
// EventBridge Rule
const rule = new events.Rule(this, 'NonCompliantRule', {
eventPattern: {
source: ['aws.config'],
detailType: ['Config Rules Compliance Change'],
detail: {
configRuleName: ['ec2-ssm-managed-check'],
complianceType: ['NON_COMPLIANT'],
},
},
});
rule.addTarget(new events_targets.LambdaFunction(alertLambda));
}
}
5. Verify with AWS CLI
Check non-compliant instances:
aws configservice get-compliance-details-by-config-rule --config-rule-name ec2-ssm-managed-check
What Undercode Say
Automating EC2 instance compliance checks with AWS Config, EventBridge, and Lambda ensures proactive management without manual oversight. Extend this solution by:
– Enforcing auto-remediation via SSM Automation.
– Integrating with PagerDuty/SMS for critical alerts.
– Using `aws ec2 describe-instances` to audit instances.
– Adding CloudWatch dashboards for visibility.
Expected Output:
- Slack/email alerts for non-compliant EC2 instances.
- AWS Config compliance reports.
- CDK-deployed event-driven pipeline.
Reference: Alerting for AWS EC2 Instances Not Managed by SSM
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
