forked from ab/AWS-Audit
-
Notifications
You must be signed in to change notification settings - Fork 0
License
jamessheridan/AWS-Audit
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
AWS Audit README ---------------- AWS Audit is intended to be used to both track Amazon Webservices configuration changes across multiple accounts, and also provide a data building block to be used as a foundation for other applications. This will query any number of AWS accounts and produce a monolithic XML file containing all of the data which it finds. This is something which I (github.com/jamessheridan) wrote when I was back at News International. It is horrifically crufty python and I make no apologies for that! It was open sourced by NI, but was subsequently abandoned by them. Andy Brody (github.com/ab) kindly cleaned up some things and here it is now. At the time, NI had many different AWS accounts, spread over different availability zones and regions and this made it very tricky to work out what was in play at any given moment. So, I wrote this. Requirements ------------ Python 2.6 - we haven't tested on any earlier or later versions Boto Library 2.0b4 (http://code.google.com/p/boto/) - again, not tested on any other PyYAML 3.10 (http://pyyaml.org/wiki/PyYAML) python-ElementTree library Installation Steps (See below for details) ------------------------------------------ 1. Create an S3 bucket to retain account credentials. Ensure this bucket is not publicly visible. 2. Create an IAM account within your master AWS account. 3. Ensure the S3 bucket you created in 1. is only accessible by the new IAM user. 4. Edit the config file /etc/aws_audit.conf This should be fairly self-explanatory, the config is short and commented. 5. Place aws_audit.py somewhere sensible (eg. /usr/local/bin/aws_audit.py) 6. Install a crontab entry to periodically poll AWS and get updated information. eg: */12 * * * * /usr/local/bin/aws_audit.py >/tmp/aws_audit.out 2>&1 Amazon account credentials in S3 Bucket --------------------------------------- AWS Audit has the ability to track multiple Amazon Webservices accounts, the account credentials need to be stored somewhere, we have chosen to use an S3 bucket. You can secure the S3 bucket using an IAM policy and bucket policy, but we just use the master AWS accounts access keys for where the S3 bucket is configured. Inside the credential bucket you need to create some files - one each per account you wish to monitor. The master account details required to read all the account credentials are configured by AWS Audit in the /etc/aws_audit.conf file, in these 2 settings: master_aws_key: master_aws_secret: The format of the S3 files is show below: Folder: <accountNumber>-<accountEmail> e.g. 123456789123-joe@example.com File: cred-<accountNumber>-<accountEmail>.txt e.g. cred-123456789123-joe@example.com.txt Contents: see below, N.B. the keys are randomly generated AccountName=joe@example.com AWSAccessKeyId=ABTHJK7TBVBV45PDYFAMA AWSSecretKey=5jJoj3aaJi3mdAWW76jE89FNxVPeOabXqqQIS2be
About
No description, website, or topics provided.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- Python 100.0%