AWS使用日志5--使用第三方服务获取所有服务信息

运维 评论

背景

项目链接: https://github.com/aws-samples/aws-auto-inventory
项目目标: 快速扫描账号中的资产信息,支持组织级查找

具体步骤

安装AWS cli2

1
2
3
4
5
sudo yum remove awscli

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

安装相关依赖

1
2
3
4
5
6
7
8
9
dnf install python3-devel gcc make
dnf install -y autoconf automake libtool
dnf install python3-pip

# 建议使用非root账号操作
pip3 install wheel

cd aws-auto-inventory
pip3 install -e .

AWS端操作

由于代码的逻辑,我们需要给管理账号跟子账号创建一个相同的role,但是内容可能不太一样

子账号

添加trust policy

1
2
3
4
5
6
7
8
9
10
11
12
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<management account ID>:role/OrganizationAccountAccessRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

添加权限
这里的权限根据你要扫描什么内容而定,由于我需要知道EC2,EBS还有Fleet manager里面的相关内容,因此才配置如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEC2ReadOnly",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowSSMDescribe",
      "Effect": "Allow",
      "Action": [
        "ssm:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

管理账号

管理账号需要创建一个同名role,注意必须同名,不然这个代码不认。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationList",
      "Effect": "Allow",
      "Action": [
        "organizations:ListAccounts"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAssumeInventoryRoleInAllAccounts",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
    }
  ]
}

把这个Role绑定给执行代码的EC2

yaml文件配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# AWS Auto Inventory - Example YAML Configuration

inventories:
  - name: my-aws-inventory
    aws:
      # AWS profile to use (optional, uses default credentials if not specified)
#      profile: default
      
      # AWS regions to scan
      region:
        - ap-southeast-1
      
      # Set to true to scan across all accounts in the organization
      organization: false
      
      # Role name to assume in each account (only used if organization is true)
      role_name: OrganizationAccountAccessRole
    
    # Excel output configuration
    excel:
      # Whether to transpose data in Excel output
      transpose: true
      
      # Additional formatting options
      formatting:
        header_style:
          bold: true
          bg_color: "#4F81BD"
          font_color: "#FFFFFF"
    
    # Sheets to include in the inventory
    sheets:
      # EC2 Instances
      - name: EC2Instances
        service: ec2
        function: describe_instances
        result_key: Reservations
        parameters:
          Filters:
            - Name: instance-state-name
              Values:
                - running
      - name: SSMInstances
        service: ssm
        function: describe_instance_information
      
      - name: Volumes
        service: ec2
        function: describe_volumes

在EC2上执行命令

1
2
cd aws-auto-inventory
aws-auto-inventory --config examples/config_example.yaml --output-dir output --format both

  1. 导出模块缺失
    这个代码里,用到了一个from .output.processor import OutputProcessor,但是实际上可能是作者根本没有上传这个模块,导致代码根本运行不起来
    解决方案: 注释掉cli.py中的相关代码,自己加上导出功能

MaydaychenDeveloper & Infra engineer

前Android/Vue开发,现Infra从业人员,主营监控/AWS