Do you need a quick and easy way to inventory EC2 Instances across your organization? Have you tried an Advanced Query for AWS Config?
I can’t remember if I was on a call or “heard” this over email but a comment like this was made, “I’m updating the EC2 inventory spreadsheet.”…..Not knowing anything beyond this comment, my heart immediately went out to that person. I mean, would any of us raise our hands with joyful enthusiasm and take on the “updating the EC2 inventory spreadsheet” task?
In an effort to be helpful to this administrator, I shared the following method of obtaining the EC2 inventory across all Accounts and Regions within the AWS Organization using AWS Config. It’s pretty easy and I hope useful to you.
AWS Control Tower
In this case, the AWS Organization was originally built using AWS Control Tower. Control Tower provides many benefits but specific to this task, AWS Control Tower creates an Aggregator that can be used by AWS Config to run queries against the entire AWS Organization. To quote AWS directly, “an Aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and Regions into a single account and Region to get a centralized view of your resource inventory and compliance.”
An Aggregator is required to collect the inventory data across the organization and to make it easy for us, AWS Control Tower creates one within the Audit account while building an AWS Organization. Though one can create an Aggregator in the AWS Account of their choosing, its not mandatory, everything needed to run an organization-wide Config query is contained with the Audit account.
The AWS Config Advanced Query
AWS Config allows one to query AWS resources using a standard SQL query editor. The example query below will perform a query of all EC2 Instances contained within the query scope, and extract from them the information found under the SELECT heading.
SELECT
resourceType,
resourceId,
accountId,
configuration.privateIpAddress,
configuration.publicIpAddress,
configuration.instanceType,
configuration.vpcId,
tags,
awsRegion,
configuration.subnetId,
availabilityZone,
configuration.state.name
WHERE
resourceType=’AWS::EC2::Instance’
The data/options that can be used for an AWS Config Advanced Query for EC2 Instances can be found here:
It may be obvious to say that the query itself can be highly customized to extract the exact data needed by an AWS customer but I need to caveat that with a “maybe”. For example, one of the EC2 Instance query options is resourceName….every customer wants this piece of data and for good reason. However, and to date, queries for resourceName returns no data….there’s no error, there’s just no data. I did open a case with AWS Support and was told this is a “global” issue they are working on resolving.
Executing the AWS Config Query
To execute the EC2 Inventory Query:
- Login to the AWS Audit account and launch the AWS Config dashboard
- Click Advanced queries | New query
- Ensure the Query scope is set to aws-controltower-GuardrailsComplianceAggregator and paste in the query above under the New query section.
- The results of the query will be displayed under the Output heading. To export the Output, click Export as | CSV or JSON (whichever format is preferred).
- Open the exported file to review the organization-wide EC2 Instance inventory data.
Closing Thought
AWS makes it easy to get a quick and dirty, organization-wide, EC2 Instance inventory. I didn’t mention it earlier, but be sure to save those beneficial queries by clicking the “Save query” button on the Query editor page in order to easily run them over and over and over. I hope this simple process helps all of those assigned the unappreciated task of managing the EC2 inventory spreadsheet and if any reader(s) have used AWS Config to create some amazing queries, virtualBonzo, and others I’m sure, would love to hear about them!
Thanks great article and very helpful