AWS Organizations support? #144
Comments
|
Hi @iainelder, I think it's a great idea. I can't promise a timeline, but it would make for a great feature enhancement. Would you be available to help test it? |
|
Glad to hear that. Sure, sign me up for testing! I have a small personal org to try things in. In the meantime, I may experiment with a script that generates the profiles for the member accounts and drives aws_recon to run on each one. I believe the API thottling limits are per account, so it may be possible to run a few aws_recon processes in parallel in this way. If I get any useful results I'll share them here. |
|
I wrote some experimental code that can drive aws_recon as I described. Once you have a CLI config file with one profile for each account in your organization, it's quite straightforward to execute aws_recon once with each profile. You can use something like GNU Parallel to make it go faster. Example here in bash: Writing such a profile file is more complicated than I had first thought. You need to treat the management account separately and copy the existing config for it. Example here in Python: https://github.com/iainelder/parallel_recon/blob/c1a72da8daf0867577232ac11e6db7e8b6023ac0/main.py The code for reading and writing the existing profiles depends on some internal methods of Python's awscli and botocore packages to do that. I'm less familiar with the Ruby SDK for AWS, but the same would be possible one way or another. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
First of all, thanks for developing this awesome tool. I just discovered it and it looks really useful for filling in the gaps in AWS Config's coverage.
As far as I can tell from the docs, the scope of each execution is a single AWS account.
Would you consider adding support for multiple accounts or even a whole organization?
I often need to run inventory checks for a single resource type across all accounts in my AWS organizations. The organizations I manage are in the order of hundreds or thousands of accounts, so checking each one by one is impractical.
Ideally I'd like to be able to connect to the organization management account and collect inventory from all accounts in the organization including the management account itself.
Before I was aware of aws-recon, I built a tool called aws-org-inventory that collects inventory from all the organization member accounts. It mostly meets my needs, but it's still expiremental; far less mature than aws-recon.
If aws-recon could support this use case, I'd happily adopt it as my go-to tool for collecting organization inventory.
To get an idea of what I mean, here's my proof of concept (written in Python): https://github.com/iainelder/aws-org-inventory
The clever part of connecting to all the member accounts is actually due to the Botocove library: https://github.com/connelldave/botocove
The text was updated successfully, but these errors were encountered: