forked from ab/AWS-Audit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
63 lines (48 loc) · 2.82 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
AWS Audit README
----------------
AWS Audit is intended to be used to both track Amazon Webservices configuration changes across
multiple accounts, and also provide a data building block to be used as a foundation for other
applications.
This will query any number of AWS accounts and produce a monolithic XML file containing all of the
data which it finds.
This is something which I (github.com/jamessheridan) wrote when I was back at News International.
It is horrifically crufty python and I make no apologies for that!
It was open sourced by NI, but was subsequently abandoned by them. Andy Brody (github.com/ab) kindly
cleaned up some things and here it is now.
At the time, NI had many different AWS accounts, spread over different availability zones and regions
and this made it very tricky to work out what was in play at any given moment. So, I wrote this.
Requirements
------------
Python 2.6 - we haven't tested on any earlier or later versions
Boto Library 2.0b4 (http://code.google.com/p/boto/) - again, not tested on any other
PyYAML 3.10 (http://pyyaml.org/wiki/PyYAML)
python-ElementTree library
Installation Steps (See below for details)
------------------------------------------
1. Create an S3 bucket to retain account credentials. Ensure this bucket is not publicly visible.
2. Create an IAM account within your master AWS account.
3. Ensure the S3 bucket you created in 1. is only accessible by the new IAM user.
4. Edit the config file /etc/aws_audit.conf
This should be fairly self-explanatory, the config is short and commented.
5. Place aws_audit.py somewhere sensible (eg. /usr/local/bin/aws_audit.py)
6. Install a crontab entry to periodically poll AWS and get updated information.
eg:
*/12 * * * * /usr/local/bin/aws_audit.py >/tmp/aws_audit.out 2>&1
Amazon account credentials in S3 Bucket
---------------------------------------
AWS Audit has the ability to track multiple Amazon Webservices accounts, the account credentials need
to be stored somewhere, we have chosen to use an S3 bucket. You can secure the S3 bucket using an IAM
policy and bucket policy, but we just use the master AWS accounts access keys for where the S3 bucket
is configured.
Inside the credential bucket you need to create some files - one each per account you wish to monitor.
The master account details required to read all the account credentials are configured by AWS Audit in
the /etc/aws_audit.conf file, in these 2 settings:
master_aws_key:
master_aws_secret:
The format of the S3 files is show below:
Folder: <accountNumber>-<accountEmail> e.g. 123456789123-joe@example.com
File: cred-<accountNumber>-<accountEmail>.txt e.g. cred-123456789123-joe@example.com.txt
Contents: see below, N.B. the keys are randomly generated
AccountName=joe@example.com
AWSAccessKeyId=ABTHJK7TBVBV45PDYFAMA
AWSSecretKey=5jJoj3aaJi3mdAWW76jE89FNxVPeOabXqqQIS2be