AMI report using Lambda functions and Amazon SES
There are two Lambda functions. One does a DescribeImages query for each tenant account, formats the data into CSV and saves the CSV to an S3 bucket. The second Lambda function creates a multi-part MIME Email, attaches the report from the S3 bucket and sends it via Amazon Simple Email Service (SES) to a list of recipients.
Cross-account permissions are required for the Lambda function in the "management" account to query the "tenant" accounts. This is done by creating an IAM role with delegation to the management account. See the Terraform configuration for details.
Attached to the tenant IAM role is a single policy with ec2:DescribeImages
action allowed.
The Lambda function which creates the AMI Report is assinged an IAM role in the management account with a single policy attached that allows it to perform all of its necessary functions.
Allows the Lambda function to query the Images in the management account.
Allows the Lambda function to write the CSV report to an S3 bucket
Allows the Lambda function to assume the delegated tenant IAM role and query
DescribeImages in the tenant accounts.
Allows the Lambda function to encrypt the CSV report it saves to the S3 bucket.
logs:CreateLogGroup, logs:CreateLogStream and logs:PutLogEvents actions
are required by all Lambda functions to log their actions.
The Lambda function which Emails the AMI Report is assinged an IAM role in the management account with a single policy attached that allows it to perform all of its necessary functions.
Allows Lambda function to send Email via Amazon SES.
Allows Lambda function to read the report from an Amazon S3 bucket.
Allows the Lambda function to decrypt the CSV report.
logs:CreateLogGroup, logs:CreateLogStream and logs:PutLogEvents actions
are required by all Lambda functions to log their actions.
- Copy the
terraform.tfvars.examplefile toterraform.tfvars - Set the
mgmt_accountvariable to the account number of the account where the AMI reporting Lambda function will run. For instructions on how to find the AWS account number, see the AWS docs here. - The
mgmt_account_aliasis the name which will appear in the 'Tenant' column of the AMI report for the AMIs in the management account. - Set the
tenant_accountsto a comma separated list of the AWS account numbers for the tenant accounts you wish to query for the AMI report. - Set the
tenant_namesto a comma separated list of the tenant names you want to appear in the first column of the report to identify the tenant account. The names must be in the exact same order as the corresponding account number intenant_accountsvariable. - Set the
senderto the Email address you want to use as the sender address. Note: This address must be verified for use by SES. - Set the
recipientsto a comma separated list of the Email addresses you wish to receive the report. Note: These addresses must be verified for use by SES. - Set the
schedule_expressionto an valid rate or cron schedule expression such ascron(5 3 ? * MON-FRI *). For more information, see the AWS Documentation or tutorial
In the tenants sub-directory, there is a terraform file to configure the
cross-account IAM role and policy. To configure this:
- Copy the
tenants/terraform.tfvars.examplefile totenants/terraform.tfvars - Set the
mgmt_accountvariable to the account number of the account where the AMI reporting Lambda function will run. For instructions on how to find the AWS account number, see the AWS docs here.
For each tenant account, you will need to configure your AWS_PROFILE
environment variable and perform a terraform apply for each account. You will
need AWS credentials for each account with administrator privileges to apply
the Terraform configuration.
- Add tests for CircleCI/fix configuration
- Add pylint to CircleCI tests
- Fix pylint issues
- Add TFLint to CircleCI tests
- Fix TFLint issues
- Handle AMIs with multiple snapshots
