Solution Objective:
The solution provides detailed report related to hard disk space for all the Windows Ec2 instances in the AWS environment.
Requirements:
Mentioned below are the requirements the solution should be able to fulfil.
- Gather information related to all mount points in all the Windows EC2 instances in the environment.
- Able to generate cumulative report based on all instances in the environment.
3. Assumptions:
The following assumptions are considered
- All the EC2 instances have SSM agent installed.
- The personnel responsible for the configuration have some understanding of IAM Roles, S3 buckets and lambda functions
4. Solutions Description:
The following services provided by Amazon will be utilized to generate the report
- PowerShell Scripts
- AWS S3
- AWS Lambda
- AWS IAM Roles
- Maintenances Windows
4.1 Linux Shell Script.
PowerShell Script will be utilized to generate information about the instance and the mount points space utilization.
Mentioned below script needs to be executed on all Windows Ec2 instances to generate the mount point information.
$instanceId = Invoke-WebRequest -Uri http://169.254.169.254/latest/meta-data/instance-id -UseBasicParsing $instanceId.content Get-WmiObject Win32_logicaldisk | select DeviceID,Size,Used,FreeSpace,PlaceHolder,VolumeName | ft -Autosize
4.1 AWS S3
The result of the shell script will be posted to an S3 bucket for further use.
The EC2 instances will need write access to the nominated S3 bucket for certificate Maintenance.
S3 Bucket Name: eomreport ( sample name )
4.2 AWS Lambda Functions
Lambda Functions will be used to perform the following activities.
- Acquire the result of the Shell script from the S3 bucket
- Generate a Report
- Email the report to the relevant recipient
The Lambda Functions would need read access to the S3 bucket and access to AWS SES to send emails to recipients.
Mentioned below is the Lambda Functions that performs the mentioned above tasks.
import boto3 import codecs import pprint from datetime import datetime, date, time def lambda_handler(event,Context): s3 = boto3.resource('s3') mybucket = s3.Bucket('diskspacewindows') resulthtml = ["<h1>Report : Hard disk Space Client Name </h1>"] # Adds heading to the email body resulthtml.append('<html><body><table border="1">') # Creates a table resulthtml.append('<tr><td><b>InstanceID</b></td><td><b>Drive Letter</b></td><td><b> FreeSpace</b></td><td><b>Total Space </b></td></b></tr>') for file_key in mybucket.objects.all(): complete_string = str(file_key) search = "stdout" check = complete_string.find(search) if check > 0 : body = file_key.get()['Body'].read().decode('utf-8') complete=body.splitlines() #splits data into lines. id="".join(complete[0]) details=complete[4:] resulthtml.append(("<td>'{}'</td><td></td><td></td><td></td></tr>").format(id)) # for the HTML email to be sent. for line in details: output_word=line.split() dstr="".join(line) #print(output_word) #print(len(output_word)) if len(output_word) > 0: resulthtml.append(("<td></td><td>'{}'</td><td>'{}'</td><td>'{}'</td></tr>").format(output_word[0],output_word[1],output_word[2])) # for the HTML email to be sent. resulthtml.append('</table></body></html>') final=str("".join(resulthtml)) final=final.replace("'","") print(final) sender = "syed.naqvi@kloud.com.au" recipient = "syed.naqvi@kloud.com.au" awsregion = "us-east-1" subject = "Client Hard Disk Space - Windows " charset = "UTF-8" mylist="mylist update" client = boto3.client('ses',region_name=awsregion) try: response = client.send_email( Destination={ 'ToAddresses': [ recipient, ], }, Message={ 'Body': { 'Html': { 'Charset': charset, 'Data': final, }, 'Text': { 'Charset': charset, 'Data': mylist, }, }, 'Subject': { 'Charset': charset, 'Data': subject, }, }, Source=sender, ) # Display an error if something goes wrong. except Exception as e: print( "Error: ", e) else: print("Email sent!")
4.1 AWS IAM Roles
Roles will be used to grant
- AWS S3 write access to all the EC2 instances as they will submit the output of the the S3 bucket
- AWS SES access to Lambda Functions to send emails to relevant recipients.
4.2 AWS SES
Amazon Simple Email Service (Amazon SES) evolved from the email platform that Amazon.com created to communicate with its own customers. In order to serve its ever-growing global customer base, Amazon.com needed to build an email platform that was flexible, scalable, reliable, and cost-effective. Amazon SES is the result of years of Amazon’s own research, development, and iteration in the areas of sending and receiving email.( Ref. From https://aws.amazon.com/ses/).
We would be utilizing AWS SES to generate emails using AWS lambda.
The configuration of the Lambda functions can be modified to send emails to a distribution group to provide Certificate reporting, or it can be used to send emails to ticketing system in order to provide alerting and ticket creation in case a certificate expiration date crosses a configured threshold.
5. Solution Configuration
5.1 Configure IAM Roles
The following Roles should be configured
- IAM role for Lambda Function.
- IAM for EC2 instances for S3 bucket Access
5.1.1 Role for Lambda Function
Lambda function need the following access
- Read data from the S3 bucket
- Send Emails using Amazon S3
To accomplish the above the following policy should be created and attached to the IAM Role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1501474857000", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::S3BucketName/*" ] }, { "Sid": "Stmt1501474895000", "Effect": "Allow", "Action": [ "ses:SendEmail" ], "Resource": [ "*" ] } ] }
6.1.2 Role for EC2 instance
All EC2 instances should have access to store the Shell output in the S3 bucket.
To accomplish the above , the following policy should be assigned to the EC2 roles
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1501475224000", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::eomreport" ] } ] }
6.2 Configure Maintenance Window.
The following tasks need to be performed for the maintenance window
- Register a Run Command with Run-Shell Script using the script in section 4.1
- Register targets based on the requirements
- Select the schedule based on your requirement
Maintenance Window Ref :
http://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
6.3 Configure Lambda Function:
The following tasks need to be performed for the Lambda Function
- Create a blank lambda function with the S3 put event as the trigger\
- Click on Next
- Enter the Name and Description
- Select run time Python 3.6
- Copy and paste the lambda function mentioned in section 4.3
6.4 Configuring AWS SES
The following tasks need to be completed before the execution of the Run-commands.
- Email Addresses should be added to the AWS SES section of the tenant.
- The email addresses should be verified.
7. Result:
Based on the above configuration, whenever the run command is executed, the following report is generated and sent to the nominated email account.