Check for Patch Compliance for EC2 instance in multiple AWS environments?

- 

#!/bin/bash

# List of AWS profiles
profiles=("profile1" "profile2" "profile3" "profile4")

# Iterate through each AWS profile
for profile in "${profiles[@]}"; do
    echo "Executing commands with AWS profile: $profile"

    # Set the AWS profile for the current iteration
    export AWS_PROFILE="$profile"

    # Step 0: Get all regions in the AWS account.
    for region_name in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do
        echo "Checking the region: $region_name"

        # Step 1: Get List of Instances in the Region
        instances_info=$(aws ec2 describe-instances --region "$region_name" --query 'Reservations[].Instances[].[InstanceId, Tags[?Key==`Name`].Value | [0]]' --output text)

        # Step 2: Loop Through Instances
        IFS=$'\n'
        for instance in $(echo "${instances_info}"); do
            instance_id=$(echo "${instance}" | awk '{print $1}')
            instance_name=$(echo "${instance}" | awk '{print $2}')

            # Step 3: Check Patch Compliance and update status
            cstatus=$(aws ssm list-compliance-items --resource-id "${instance_id}" --region "$region_name" | awk 'NR > 1 {print}')

            if [[ "$cstatus" != *"COMPLIANT"* && "$cstatus" != *"NON_COMPLIANT"* ]]; then
                cstatus="NOT REPORTED"
            elif [[ "$cstatus" == *"NON_COMPLIANT"* ]]; then
                # Step 4: Check patch non-compliance count
                ncpcount=$(echo -e "$cstatus" | grep -i NON_COMPLIANT | wc -l)
                cstatus="NON_COMPLIANT"
            elif [[ "$cstatus" == *"COMPLIANT"* && "$cstatus" != *"NON_COMPLIANT"* ]]; then
                cstatus="COMPLIANT"
            elif [ -z "$cstatus" ]; then
                cstatus="CHECK FAILED"
            else
                cstatus="UNKNOWN"
            fi

            # Step 5: Store Information in CSV File
            echo "${instance_id},${instance_name},${region_name},${cstatus},${ncpcount:-0}" >> compliance_info.csv
            unset cstatus
            unset ncpcount
        done
    done
    echo "+++++++++++++ Completed on the AWS Account: $profile +++++++++++++++++++++++++++++"
done

Comments

Post a Comment

Popular posts from this blog

Logical volume vmxxxx_img is used by another device - Error on LVM removal

-
Hi Folks, I've faced error while trying to remove an LVM from the server. The exact LVM error will be "Logical volume vmxxxx_img is used by another device" on executing the lvremove command. Feel free to remove the following steps to remove the LVM from the server. Note: Please remember to replace <id> with your  VMID in the below section. ---------------------------------------------------------- dmsetup ls dmsetup info -c xen-vm<id>_img dmsetup remove xen-vm<id>_img lvremove -f /dev/xen/vm<id>_img ----------------------------------------------------------
Read more

DNS - A simple explanation.

-
Hi All, Let me try to throw some pebbles regarding the DNS, one of the simplest concepts on the internet, but if explained properly, it can go into a high level of complexity. DNS is something which is used to identify the devices which are connected to the internet.Before jumping into the concept of DNS, I hope everyone who is reading this chapter is aware of IP Adress. If not, IP Address or in short IP is a set of numbers and symbols used to identify machines connected on the internet. So we already have IP so you might be thinking what is the need of DNS in the world?? Well, that is the problem with the humans, we are good with names but not so good with the numbers. To overcome this problem, we are using DNS. Domain Name System in the point of view of a System Administrator is something unavoidable when it comes to hosting the websites on the server. The simple concept of how it works is explained in my propensity as shown below. When a website is accessed on a web b...
Read more

Cheat sheet for Hardware RAID health check - Megaraid, Adaptec, 3wareraid and HPraid.

-
Hi Folks, In another post " raid type " I've mentioned how to find if the server is running with Software or Hardware RAID. Here, we can go ahead and check the health of the Hardware RAID array in the server. The first thing we need to detect is the controller in which the raid is configured and you can easily get it from the another post that I mentioned earlier. However, I'm providing it here again for your convenience. 1. Login to the server as the root user. 2. Execute the following command. /sbin/lspci -vv | grep -i raid 3. This will show the raid controller running on the server. The different types of controller I've worked with includes a. Megaraid which uses megacli b. Adaptec which uses arcconf . c. 3ware raid which uses tw_cli d. HPraid which uses hpacucli . How to check the Megaraid array health status? The Megaraid is usually installed in the /opt/MegaRAID and you can execute the following command to verify the health of the arr...
Read more