How can I get a list of encrypted disks for instances that are running on the AWS CLI?

Question

There is a great question here about how to get a list of encrypted disks. I'm currently using the describe-volumes command.

For the record I'm currently using:

aws ec2 describe-volumes --region us-east-1 --filters Name=encrypted,Values=false Name=attachment.status,Values=attached --query "length(Volumes[])"

What I want is to filter that down further to just the instances that are running. (ie exclude the ones that are stopped).

My question is: How can I get a list of encrypted disks for instances that are running on the AWS CLI?

score 2 · Accepted Answer · answered May 22 '17 at 11:47

Here is what I ended up using. Enjoy.

for instance in $instances;
do
  count=`aws ec2 describe-volumes --filters Name=attachment.status,Values=attached Name=attachment.instance-id,Values=$instance --query "Volumes[]"  | jq  -r '. | length';`
  name=`aws ec2 describe-tags --filters Name=resource-id,Values=$instance Name=key,Values=Name --query Tags[].Value | jq -r '.[0]'`
  if [ $count -gt 0 ]; then
    START=0
    END=$count
    for ((i=START; i<END; i++))
    do
       #echo "i: $i"
       encrypted=`aws ec2 describe-volumes --filters Name=attachment.status,Values=attached Name=attachment.instance-id,Values=$instance --query "Volumes[]"  | jq  -r ".[$i].Encrypted";`
       volumeid=`aws ec2 describe-volumes --filters Name=attachment.status,Values=attached Name=attachment.instance-id,Values=$instance --query "Volumes[]"  | jq  -r ".[$i].VolumeId";`
       echo "$instance $name Volumes: $count VolumeId: $volumeid Encrypted: $encrypted "
    done
  fi
done

score 1 · Answer 2 · answered May 18 '17 at 19:38

I'm not sure if you can do this without a loop. But you should be able to run the below in bash and get the right output:

instances=`aws ec2 describe-instances --region us-east-1 --filters Name=instance-state-name,Values=running --query "Reservations[*].Instances[0].InstanceId" --output text`

for instance in $instances; 
do  
   aws ec2 describe-volumes --region us-east-1 --filters Name=encrypted,Values=true Name=attachment.status,Values=attached Name=attachment.instance-id,Values=$instance --query "Volumes[]"; 
done

This will return all information on the volumes. For the ID you can change the describe-volumes line to:

aws ec2 describe-volumes --filters Name=encrypted,Values=false Name=attachment.status,Values=attached Name=attachment.instance-id,Values=$instance --query "Volumes[].Attachments[].VolumeId"

score 0 · Answer 3 · edited Mar 12 '20 at 08:09

0

This can be done using the AWS CLI:

aws ec2 describe-volumes --query Volumes[*].VolumeId --filters Name=encrypted,Values=true

edited Mar 12 '20 at 08:09

Bruce Becker

3,783
4
20
41

answered Mar 11 '20 at 20:41

Erick Douglas Lima

1

score 0 · Answer 4 · answered Oct 27 '19 at 20:36

Below presented there are is a Bash script functions based on awscli to get AWS EBS volumes encryption state for different scenarios

NOTE1: your IAM Profile and that is currently running

source public github gist: https://gist.github.com/exequielrafaela/4cce5cf7198d5f239153e339587ab392

NOTE2: You'll find other bash scripts for some usual Sec & Audit validations.

#!/bin/bash

#
# Bash script functions based on awscli to get AWS EBS volumes encryption state for different scenarios
# your IAM Profile and that is currently running
#

#
# Your AWS IAM profile here (~/.aws/credentials & ~/.aws/config).
#
AWS_IAM_PROFILE="your-aws-iam-profile-here"

#
# AWS EBS status -> attached || deattached
#
AWS_EBS_ATTACHMENT_STATUS="attached"


#=========================================#
# Functions                               #
#=========================================#
func_aws_ec2_ebs_list_encrypted(){
    #
    # Get all running AWS EC2 accessible via your ${AWS_IAM_PROFILE} role.
    #
    instances=`aws ec2 describe-instances --region us-east-1 \
    --filters Name=instance-state-name,Values=running \
    --query "Reservations[*].Instances[0].InstanceId" \
    --output text \
    --profile ${AWS_IAM_PROFILE}`

    #
    # Iterate over the Instances list and present:
    # echo "${instance} $name Volumes: $count VolumeId: $volumeid Encrypted: $encrypted"
    # eg: i-111111111111111 Jenkins Volumes: 2 VolumeId: vol-111111111111111 Encrypted: false
    #
    echo "#===============================================#"
    echo "# EBS Volumes attached to running EC2 Instances #"
    echo "#===============================================#"
    for instance in ${instances};
    do
      count=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
      --filters Name=attachment.status,Values=${AWS_EBS_ATTACHMENT_STATUS} Name=attachment.instance-id,Values=${instance} \
      --query "Volumes[]"  | jq  -r '. | length';`

      name=`aws ec2 describe-tags --profile ${AWS_IAM_PROFILE} \
      --filters Name=resource-id,Values=${instance} Name=key,Values=Name \
      --query Tags[].Value | jq -r '.[0]'`

      if [[ ${count} -gt 0 ]]; then
        START=0
        END=${count}
        for ((i=START; i<END; i++))
        do
           #echo "i: $i"
           encrypted=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
           --filters Name=attachment.status,Values=${AWS_EBS_ATTACHMENT_STATUS} Name=attachment.instance-id,Values=${instance} \
           --query "Volumes[]"  | jq  -r ".[$i].Encrypted";`

           volumeid=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
           --filters Name=attachment.status,Values=${AWS_EBS_ATTACHMENT_STATUS} Name=attachment.instance-id,Values=${instance} \
           --query "Volumes[]"  | jq  -r ".[$i].VolumeId";`

           echo "EC2: ${instance} $name Volumes: $count EbsVolumeId: $volumeid Encrypted: $encrypted "
        done
      fi
    done
}

func_aws_ebs_list_encrypted(){
    echo ""
    echo "#==============================================#"
    echo "# All EBS Volumes                              #"
    echo "#==============================================#"
    ebs_count=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
    --query "Volumes[]"  | jq ".[].VolumeId | length" | wc -l`

    echo "N° AWS EBS VOLUMES: ${ebs_count}"
    echo ""

    if [[ ${ebs_count} -gt 0 ]]; then
    START=0
    END=${ebs_count}
    for ((i=START; i<END; i++))
    do
       #echo "i: $i"
        ebs_volumeid=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
        --query "Volumes[]"  | jq -r ".[$i].VolumeId"`

        ebs_encrypted=`aws ec2 describe-volumes --profile ${AWS_IAM_PROFILE} \
        --query "Volumes[]"  | jq -r ".[$i].Encrypted"`

       echo "EbsVolumeId: ${ebs_volumeid} Encrypted: ${ebs_encrypted}"
    done
    fi
}

#=========================================#
# Main() - Function calls                 #
#=========================================#
func_aws_ec2_ebs_list_encrypted
func_aws_ebs_list_encrypted

How can I get a list of encrypted disks for instances that are running on the AWS CLI?

4 Answers4