This is a tool that tries to discover all AWS resources created in an account. AWS has many products (a.k.a. services) with new ones constantly being added and existing ones expanded with new features. The ecosystem allows users to piece together many different services to form a customized cloud experience. The ability to instantly spin up services at scale comes with a manageability cost. It can quickly become difficult to audit an AWS account for the resources being used. It is not only important for billing purposes, but also for security. Dormant resources and unknown resources are more prone to security configuration weaknesses. Additionally, resources with unexpected dependencies pose availability, access control, and authorization issues.
It uses botocore to discover AWS services and what regions they run in. It is also used in invoking the service APIs. The APIs that are invoked are those which should list or describe resources. The results can be printed to stdout in JSON format. They can also be written across several files:
First, install Python2.7.
There is a small GUI for displaying progress which uses the standard Python Tkinter module. However, the underlying native library code for Tcl/Tk may need extra steps to install. Then,
pip install -r requirements.txt
Use the Python installer to install Tkinter/Tcl/Tk.
Use your OS package manager:
sudo apt-get install python-tk
You can run the script without any parameters. It will search for your AWS creds in your shell environment, instance metadata, config file, then credentials file. You can also provide a CSV file, containing your creds, on the commandline. You will want a user that has permissions like the AWS managed policy ViewOnlyAccess. If you are feeling lucky, you could just pipe the output of the tool to a JSON parser like jq.
The tool could take a long time (dozens of minutes) to complete if no restrictions are placed on which operations to invoke for each service across each region. Filtering by service and region can be done on the commandline while filtering by service operation can be done via configuration file. A pre-configured file was created and checked into the repository. It will be used by default.
Aside from the commandline output, you can view the results locally in a React single-page app. No web server needed. Just open the HTML file in a browser and select the generated JSON file when prompted.
The app uses jsTree to display the data in a hierarchical, tree-like structure. There is also a search feature.
NOTE: When invoking APIs, those that raise an exception are not used again regardless of region. Known causes of exceptions are:
$ python aws_inventory.py
$ python aws_inventory.py --list-svcs
acm
apigateway
application-autoscaling
appstream
autoscaling
batch
budgets
clouddirectory
cloudformation
cloudfront
.
.
.
$ python aws_inventory.py --list-operations
[shield]
DescribeSubscription
ListAttacks
ListProtections
[datapipeline]
ListPipelines
[firehose]
ListDeliveryStreams
.
.
.
[glacier]
# NONE
[stepfunctions]
ListActivities
ListStateMachines
Total operations to invoke: 4045
$ python aws_inventory.py --debug --dry-run
curl http://169.254.169.254/latest/dynamic/instance-identity/document ----------------------不用密钥对登陆 #!/bin/bash #Turn on password authentication for lab challenge echo ‘abc@123’ | passwd --stdin root
● Inventory文件 ○ 主机与组 ○ 主机变量 ○ 组的变量 ○ 把一个组作为另一个组的子成员 ○ 分文件定义 Host 和 Group 变量 ○ Inventory 参数的说明 静态Invetory文件: 功能:配置组和主机之间的关系 默认文件:/etc/ansible/hosts 自定义文件: 主机与组 /etc/ansible/hosts 文件的格式: mail.example.co
写在前面 嗯,学习Ansible高级特性,整理这部分笔记 博文内容涉及: ini&yaml格式的inventory相互转化 inventory 中的变量管理Demo inventory 常见报错Demo 食用方式: 需要有ansible基础,了解ansible主机清单的基本配置 了解yaml/yml格式的基本语法 理解不足小伙伴帮忙指正 傍晚时分,你坐在屋檐下,看着天慢慢地黑下去,心里寂寞而凄凉,
参考文章:Ansible Inventory内置参数 - 简书 How to build your inventory — Ansible Documentation /etc/ansible/hosts例子 some_host ansible_ssh_port=2222 ansible_ssh_user=manager aws_host ansible_
责任共担模型 责任共担模型不只使用于安全相关的考虑,也适用于IT控制。例如,IT控制相关的管理,操作和验证的责任都是由AWS和用户共同承担的。AWS负责底层物理基础设施。 客户需要确保IT管理的人力物力投入,不管在on-premises或者cloud环境,这些投入都是必须的。 AWS提供管理信息的两种途径 Specific control definition,具体的控制定义 General co
AWS Billing & AWS Cost Management The AWS Billing console contains features to organize and report your AWS cost and usage based on user-defined methods, and manage your billing and control costs. The
var client = AWSClientFactory.CreateAmazonCloudWatchClient( <AWSAccessKey>, <AWSSecretKey>); var dimension = new Dimension { Name = "InstanceId", Value = <InstanceId>, }; var request
我想知道使用AWS OpsWorks与AWS Beanstalk和AWS CloudFormation的优缺点是什么? 我感兴趣的是一个可以自动伸缩的系统,它可以处理任意数量的并发web请求(从每分钟1000个请求到1000万rpm),包括一个可以自动伸缩的数据库层。 理想情况下,我希望有效地共享一些硬件资源,而不是为每个应用程序提供单独的实例。在过去,我主要使用EC2实例RDS Cloudtop
介绍如何在AWS上获取在云联壹云平台需要使用的配置参数。 获取AWS的访问密钥 使用AWS主账号(或拥有AdministratorAccess管理权限的子账号)登录AWS管理控制台,单击 “IAM” 菜单项,进入IAM控制面板页面。 单击左侧菜单栏 “用户” 菜单项,进入用户管理列表,单击用户名名称项,进入指定用户详情页面。注意需要选择有足够管理权限的用户。 单击“安全证书”页签。 单击 “创建访
AWS Global Infrastructure AWS Global Cloud - A single global cloud, is made up of devices and Services in many regions. AWS Region - A physical location around the world where Amazon have equipment(de
A collection of bash shell scripts for automating various tasks with Amazon Web Services using the AWS CLI and jq. https://github.com/swoodford/aws Table of contents Why Getting Started What's Include
我使用的是AWS SQS服务,很难定义SQS队列上的权限。在我的设置中,我使用的是AWS Lambda服务,当一个对象被推到S3存储桶上时会触发该服务。 然而,让我简短地提问,这是我想要实现的: 对象被推送到S3存储桶中 正如您可以从前面的用例中看到的,我希望我的AWS Lambda方法是唯一可以向SQS队列发送消息的应用程序。我试图设置一个原则和一个条件“sourceArn”。但是它们都不起作用
我有一个Powershell Lambda,我希望通过AWS CDK部署它,但在运行时遇到问题。 通过手动发布AWSPowerShellLambda部署Powershell可以: 但是,与CDK一起部署的同一脚本不会记录到CloudWatch日志,即使它具有以下权限: powershell脚本当前仅包含以下行,在CLI上由Publish AWSPowerShellLambda部署时可以工作: 注意
每当我试图在AWS Lambda上测试我的Lambda函数时,我目前都会得到一个ClassNotFoundExcure。例外情况显示在这里: 我在网上搜索过,包括这里的链接: AWS Lambda:类java.lang.ClassNotFoundExc0019,但没有用。 我在Android Studio中工作,创建了一个JAR文件(使用此链接:如何从Android Studio项目生成.JAR)
Setup source aws-alias.sh aws-start aws-ssh Shutdown aws-stop