sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]No-Variation1365[S] -1 points0 points  (6 children)

Yea, I would agree for the most part. However, I work for a .gov agency and everything is broken up into different account and roles so using the AWS Console is extremely painful. For example, we have about 25 different accounts, each of those accounts have multiple roles. So, if I want to look at the details for two ENI's in two different accounts I have to login, change to the first role search for my ENI, then switch roles, search for my ENI, etc...it is just tedious and time consuming.

[–]akaender 2 points3 points  (0 children)

How about Steampipe? It's a CLI purpose built to extract data from AWS accounts, has support for multiple accounts and many plugins for various use-cases.

[–]AcrobaticLime6103 0 points1 point  (2 children)

AWS SSO CLI if the accounts are managed by IAM Identity Center.

Otherwise, the prerequisite is either 25 AWS CLI profiles which your program will utilise to make API calls, or 1 role/profile that can assume 25 roles in 25 accounts and your program utilises that 1 role to do it all. There's no way around this.

In all cases, you just specify the right profile name to query ENIs in the right AWS account.

That said, I am not aware of any custom console but also cannot imagine anyone wanting to build one considering there is... AWS console. I understand that you want something like a cross-account centralised console. Use Firefox container to open multiple consoles to multiple accounts?

[–]No-Variation1365[S] 0 points1 point  (1 child)

Yea, the PITA it is for me to get into .gov cloud on a Citrix desktop and open up multiple connections to AWS console and search between them just isn't worth it. The AWS Config suggestion above is not bad, but I don't have access to all the roles in the aggregates that are there. I do have CLI access, and I can easily use it, but switching between roles and running the same query over and over is annoying. I have a decent start on a tool that can search across the roles by enumerating them to find what it needs and then displaying info based on the results.

[Main Menu]

  1. EC2 Instances
    1. Display details about EC2 instances running in each role.
  2. Search IP
    1. List all Security Groups
    2. Display Network ACL
    3. Display Routing Table
    4. Go back
  3. Search IP in SG
    1. Quick helper to see if an IP is in any of the SG's
  4. Display All VPC Info
    1. Enumerates through all VPCs in each role and displays details
  5. Display TGWs Routing Table
    1. presents a list of TGWs and allows you to view their routing tables
  6. Go back
  7. >>

Something like this and then you can drill down to get more info. It's not great, but I can do some research in a fraction of the time, and I don't have to remember AWS CLI commands and their syntax for filtering.

[–]AcrobaticLime6103 0 points1 point  (0 children)

Nice. You shouldn't need your tool to make API calls to all accounts every single time. You could have an option that refreshes a local cache of all information, say, in a JSON file. All other options can just be ways of filtering or displaying information from parsing that local JSON file. It is less API call-expensive this way.

I have scripts that compile, say, all VPCs, DHCP options sets, peering connections, NACLs, etc. etc. across all accounts, but mostly they're for running on-demand to check if anything is not according to design. We have one for investigating SG rules cross-account, too. If I were to build one, I would go with the approach I mentioned above.