EC2 Instances

When EC2 Sync with Threat Stack is enabled, we continually scan for any instance creation or termination so the Threat Stack platform will reflect the current state of your infrastructure. Threat Stack utilizes a “read-only” access role, scoped to EC2 and permissions are within your control.

The EC2 instance endpoint provides visibility into which EC2 instances are monitored by Threat Stack. The List EC2 Endpoints endpoint enables you to work with the EC2 Instance model.

List AWS EC2 Instances

Overview

This method enables you to get a list of all the EC2 instances in your environment.

NOTES:

The response defaults to show both monitored and non-monitored EC2 instances. The EC2 endpoint paginates query results based on the request.

  • If the request uses the verbose model, then results paginate after 100 responses return.
  • If the request uses the standard model, then results paginate after 10,000 responses return.

Sample Queries

Find all the EC2 instances in your organization:

https://api.threatstack.com/v2/aws/ec2

Find all monitored EC2 instances in your organization:

https://api.threatstack.com/v2/aws/ec2?monitored=true

Find all the non-monitored EC2 instances in your organization:

https://api.threatstack.com/v2/aws/ec2?monitored=false

Find all monitored AWS EC2 instances in your organization and return Threat Stack Agent information about them:

https://api.threatstack.com/v2/aws/ec2?monitored=true&verbose=true

Error Handling Tips

The 400 error code means that you did not correctly specify a valid option for a parameter. You may hit this on monitored which, if provided, must be true or false.

Request
query Parameters
monitored
boolean

Limits the response of EC2 servers to those that are monitored by Threat Stack Agents (true), or those that are not (false).

verbose
boolean

Whether to return results that include Threat Stack Agent information (true) or not (false)

Responses
200
get/aws/ec2
Response samples
application/json
{
  • "servers": [
    ],
  • "token": "string"
}