Dealing with short lived AWS instances

We currently have several AWS Accounts in our BigFix environment which are used by our developer for test etc….
As part of this environment users are allows to set up instance as well as auto scaling groups. Basically, they have free rein to do what they want.
However, IT do have some governance over what goes on regarding security tool etc….
To this end we only install the BigFix Client (via an AWS SSM document) on machines that have been online in these account for 24 hours or more.
This is causing us a few issues for example

  1. Some one set up an autoscaling group which produced over 1000 short lived instances
  2. These were picked up by the plugin portal and added to BigFix.
  3. This then skews the patching reports etc… as they are included in the report.
    Unfortunately, there seems to be known way to do the following.
  4. Set the scan cycle separately for each AWS account in the Plug in portal.
  5. Set the deletion time for machines separately for each AWS account.
  6. As this BigFix environment also includes production machines along with end user machines we do not want to decrease the automatic deletion time which is currently set a 30 days.
    We did brainstorm a couple of idea (these are in no particular order)
  7. Ignore the development account. But the company policy will not allow us to do that.
  8. Set up a separate plugin portal server with a longer scan time.
  9. Set up a separate BigFix environment.
  10. Set up a script to compare what we currently have in these AWS accounts and remove them from BigFix via the API.
    I am curious to know how people deal with cloud instance which can come a go within a matter of hours or days.
    Any advice or insights would be greatly appreciated.

A common problem for many, I’m sure. We delete our cloud instances after they are inactive for 12+ hours.

What do you use to delete them?

  • a task or a person?

We have automation that calls webreports to get the computer IDs of all the inactive cloud instances and then issues a BigFix REST API computer DELETE for each of them.

We do it manually but I did write myself a dashboard so I just select "show me all Proxy records that haven’t reported in X hours and it opens them as an ad-hoc group so it is just a matter of Ctrl+A and “Remove from database”. That said, I did submit an RFE BFMCLOUD-I-9 for exactly that idea. It seems to be committed to but no clear idea when it will be delivered.

thank you for the tip and the info.