AWS Config advanced query to list the AMI name and AMI OS Version details of all AMI's using by compute instances in my tenancy

0

I had gone through all the advanced queries under AWS config service to generate a report with AMI names, Operating system and OS Version details of all AMI's using by compute instances in my tenancy, but i could not find any queries around it, is there a way to generate a report capturing AMI details in detailed.

Under configuration columns i only see AMI ID and Operating System beyond that i can't find any further details of AMI
asked 2 years ago2269 views
1 Answer
1

Hello,

Firstly, I would like to mention that AWS Config records the configuration details of an EC2 instance in the following format:

{
  "version": "1.3",
  "accountId": "123456789012",
  "configurationItemCaptureTime": "2022-03-26T01:49:17.440Z",
  "configurationItemStatus": "OK",
  "configurationStateId": "1648259357440",
  "configurationItemMD5Hash": "",
  "arn": "arn:aws:ec2:us-east-1:123456789012:instance/i-02asdhgasdhg5d3",
  "resourceType": "AWS::EC2::Instance",
  "resourceId": "i-i-02aXXXXXXXXd3",
  "awsRegion": "us-east-1",
  "availabilityZone": "us-east-1b",
  "resourceCreationTime": "2022-03-26T01:45:35.000Z",
  "tags": {
    "Name": "TestEC2"            
  },
  "relatedEvents": [],
  "relationships": [
    {
      "resourceType": "AWS::EC2::Volume",
      "resourceId": "vol-0eXXXXXXXXXXXXXXX76",
      "relationshipName": "Is attached to Volume"
    },
    {
      "resourceType": "AWS::EC2::Subnet",
      "resourceId": "subnet-5bXXXXXa",
      "relationshipName": "Is contained in Subnet"
    },
    {
      "resourceType": "AWS::EC2::VPC",
      "resourceId": "vpc-dXXXXXX9",
      "relationshipName": "Is contained in Vpc"
    },
    {
      "resourceType": "AWS::EC2::NetworkInterface",
      "resourceId": "eni-0aXXXXXXXXXXXXX42",
      "relationshipName": "Contains NetworkInterface"
    },
    {
      "resourceType": "AWS::EC2::EIP",
      "resourceId": "eipalloc-02XXXXXXXXXXXXXde",                
      "relationshipName": "Is attached to ElasticIp"
    },
    {
      "resourceType": "AWS::EC2::SecurityGroup",
      "resourceId": "sg-0XXXXXXXXXXX08",
      "relationshipName": "Is associated with SecurityGroup"
    }
  ],
  "configuration": {
    "amiLaunchIndex": 0,
    "imageId": "ami-03eXXXXXXXXXXeb",
    "instanceId": "i-02asdhgasdhg5d3",
    "instanceType": "t2.micro",
    "keyName": "linux-us",
    "launchTime": "2022-03-26T01:45:35.000Z",
    "monitoring": {
      "state": "disabled"
    },
    "placement": {
      "availabilityZone": "us-east-1b",
      "groupName": "",
      "tenancy": "default"
    },
    "privateDnsName": "ip-172-XX-XX-18.ec2.internal",
    "privateIpAddress": "172.XX.XX.18",
    "productCodes": [],
    "publicDnsName": "ec2-18-XX-XX-108.compute-1.amazonaws.com ",
    "publicIpAddress": "18.XX.XXX.108",
    "state": {
      "code": 16,
      "name": "running"
    },
    "stateTransitionReason": "",
    "subnetId": "subnet-5XXXXXXa",
    "vpcId": "vpc-dXXXXXX9",
    "architecture": "x86_64",
    "blockDeviceMappings": [
      {
        "deviceName": "/dev/xvda",
        "ebs": {
          "attachTime": "2022-03-26T01:45:36.000Z",
          "deleteOnTermination": true,
          "status": "attached",
          "volumeId": "vol-0e8XXXXXXXXXX76"
        }
      }
    ],
    "clientToken": "",
    "ebsOptimized": false,
    "enaSupport": true,
    "hypervisor": "xen",
    "elasticGpuAssociations": [],
    "elasticInferenceAcceleratorAssociations": [],
    "networkInterfaces": [
      {
        "association": {
          "ipOwnerId": "123456789012",
          "publicDnsName": "ec2-18-XX-XXX-108.compute-1.amazonaws.com ",
          "publicIp": "18.XX.XXX.108"
        },
        "attachment": {
          "attachTime": "2022-03-26T01:45:35.000Z",
          "attachmentId": "eni-attach-1234567890120d",
          "deleteOnTermination": true,
          "deviceIndex": 0,
          "status": "attached",
          "networkCardIndex": 0
        },
        "description": "",
        "groups": [
          {
            "groupName": "launch-wizard-14",
            "groupId": "sg-12XXXXXXXX12"
          }
        ],
        "ipv6Addresses": [],
        "macAddress": "12:XX:XX:XX:XX:8f",
        "networkInterfaceId": "eni-0adXXXXXXXXXX42",
        "ownerId": "123456789012",
        "privateDnsName": "ip-172-XX-XX-18.ec2.internal",
        "privateIpAddress": "172.XX.XX.18",
        "privateIpAddresses": [
          {
            "association": {
              "ipOwnerId": "123456789012",
              "publicDnsName": "ec2-18-XX-XXX-108.compute-1.amazonaws.com ",
              "publicIp": "18.XX.XXX.108"
            },
            "primary": true,
            "privateDnsName": "ip-172-XX-XX-18.ec2.internal",
            "privateIpAddress": "172.XX.XX.18"
          }
        ],
        "sourceDestCheck": true,
        "status": "in-use",
        "subnetId": "subnet-5XXXXXXa",
        "vpcId": "vpc-dXXXXXX9",
        "interfaceType": "interface"
      }
    ],
    "rootDeviceName": "/dev/xvda",
    "rootDeviceType": "ebs",
    "securityGroups": [
      {
        "groupName": "launch-wizard-14",
        "groupId": "sg-123456789012"
      }
    ],
    "sourceDestCheck": true,
    "tags": [
      {
        "key": "Name",
        "value": "TestEC2"
      }
    ],
    "virtualizationType": "hvm",
    "cpuOptions": {
      "coreCount": 1,
      "threadsPerCore": 1
    },
    "capacityReservationSpecification": {
      "capacityReservationPreference": "open"
    },
    "hibernationOptions": {
      "configured": false
    },
    "licenses": [],
    "metadataOptions": {
      "state": "applied",
      "httpTokens": "optional",
      "httpPutResponseHopLimit": 1,
      "httpEndpoint": "enabled"
    },
    "enclaveOptions": {
      "enabled": false
    }
  },
  "supplementaryConfiguration": {},
  "resourceTransitionStatus": "None"
}

Now using configuration history of an instance, we can determine which Amazon Machine Image (AMI) it is based on from Advanced query like below -

SELECT
  resourceId,
  configuration.imageId,
  configuration.platform
WHERE
  resourceType = 'AWS::EC2::Instance'

Output -

resourceId	configuration.imageId	configuration.platform
i-0eXXXXXX3b	ami-0a11XXXXX8bd94	windows
i-07XXXX5156	ami-0ed9XXXXX570c9	-						<----- Linux System
i-0e5XXXXXa81	ami-01b1XXXXXXc8cd	windows

Important Note - Any information present in a nested array will not be possible to retrieve because AWS Config Advanced Query does not support nested structures [2].


Secondly, considering the supported resource types for Config, under Amazon Elastic Compute Cloud [4], there is no Resource Type for Image/AMI specifically, and hence, as such we cannot get the information using Advanced query. Advanced query essentially queries Configuration items (CI). So whatever Config records, only that you can query. Please feel free to check our AWS GitHub Resource Schema for Resource Types here [5] for more information.

To summarize - EC2 AMI and snapshots are currently not supported as resource types to be recorded by AWS Config. We do have a feature request to support AMI as resource type and I have added your voice to this feature request. Since Premium Support has no visibility in the process, I can not provide an ETA as to when this feature will be implemented. However, you may stay updated through our What's New [7] and Blog [8] pages on such feature release news.


Thirdly, in the above scenario, it is observed that ‘configuration.platform’ does not return proper values for Linux servers but returns “windows” for windows instances.

On researching internally, I found that EC2 does not currently populate the platform for Linux instances from the DescribeInstances API. As a result, the query configuration.platform does not return such information.

AWS is tracking the issue as there is an existing feature request to return the platform value for Linux instances. I can understand the inconvenience of not seeing the full picture of your EC2 instances. So, I have added this query to the request to represent your voice regarding the need of this feature.

Also, please note that I can't provide you with an ETA for when the feature will be released as Premium Support team doesn't have visibility into service team roadmap planning, however, when it's released, it should be announced in the AWS What's New blog [7] or AWS Announcements Blog [8].

As a workaround, you can leverage the retrieved “configuration.imageId” value, and use it with the EC2 API - “describe-images” [6] to get more information about the image. This call would describe the image ids specified, including the platform details. I understand this workaround involves using commands outside of Config advanced query. So, I hope it does help toward your use case a bit.


Finally, I would also highly recommend checking out our AWS Knowledge Center article on "How can I find the OS platform or version my EC2 Linux instance is using?" [9] for exploring other alternate solutions like use of AWS Systems Manager service etc.

I hope the above shared information is insightful to your query. Please feel free to reply to this thread or create a support case with our team if you would like to discuss any further details. Also, please make sure that you do not post any sensitive information over re:Post since this is a public platform.


References:

[1] AWS::EC2::Instance.properties : https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS::EC2::Instance.properties.json

[2] Nested structure limitation : https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html#:~:text=No%20support%20for%20nested%20structures

[3] https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-find-os-platform-or-version/

[4] https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

[5] https://github.com/awslabs/aws-config-resource-schema/tree/master/config/properties/resource-types

[6] https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html

[7] What's New at AWS - https://aws.amazon.com/new/

[8] AWS Announcements Blog - https://aws.amazon.com/blogs/aws/category/announcements/

[9] https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-find-os-platform-or-version/

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago
  • This is an excellent response, thank you! Do you have any update regarding the missing platform population if the EC2 instance is running Linux?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions