Follow-up to run ECS/EKS AMI monitoring script
Opened this issue · 2 comments
User Story
As a MP engineer
I want to monitor the versions of ECS/EKS-optimised AMIs in use by members' clusters
So that I can notify members when their AMIs are outdated
Value / Purpose
Following on #7189, this issue is to run the ECS/EKS AMI script. Any accounts found using outdated AMIs should be flagged, and the relevant teams should be notified. Analytical Platform and data-platform-apps-and-tools can be ignored.
Additionally, it can be recommended that teams consider using the SSM Parameter resolve syntax to automatically reference the latest ECS/EKS AMI. This approach ensures that instances always launch with the latest AMI, eliminating the need to manually update or re-apply Terraform when using a data call.
Useful Contacts
No response
Additional Information
No response
Definition of Done
- The ECS/EKS outdated AMI monitoring script is successfully executed across all accounts
- Accounts that are found to have outdated AMIs contacted for remediation
- Raise another follow on ticket for script to be run again in 1-2 months.
outdated-amis .csv
Same accounts as the last time I ran the script are being flagged. From looking at the AMI ids, I can see that the ones in use are pretty recent, from Oct/Nov release.
ami-095cfe74465b7f5e8 - Windows_Server-2019-English-Full-ECS_Optimized-2024.11.13
ami-08b32d78bce8fc05e - Windows_Server-2019-English-Core-ECS_Optimized-2024.11.13
ami-0aed5f2215de82996 - Windows_Server-2019-English-Full-ECS_Optimized-2024.10.17
ami-03e8b3c35fa0619ce - Amazon Linux AMI 2.0.20241023 x86_64 ECS HVM GP2, 2024.10.23
Apex are using outdated AMIs that were released prior to September. I've contacted them to update to the latest AMIs to ensure better performance and security.
I'll raise another follow on ticket to run the script again in a couple months. Also, there's a ticket in the backlog looking at AWS Systems Manager Inventory, which can be useful to manage and track outdated AMIs.