AWS BOTO3 API: IAM user per region using aws:RequestedRegion global condition key or IAM user per account ?

Question

I want to query all the important information from the following AWS services:
1. EC2
2. RDS
3. ELB/NLB/ALB/ELBv2
4. ECS
5. Lambda
6. SNS

These services are being used per region in a single account. Whats the best way to query it via the BOTO3 API?

Questions:
1. Shall I use IAM user per region using aws:RequestedRegion global condition key and then query it per region?
2. Shall I just create an IAM user (Global) and use this user to query all services in theri respective regions ?
3. Also from the cost perspective which one will be better ?

Answer

Adding to the other answer (which is correct - a script is one way to do this):
1. While you can use an IAM user per region...
2. ...IAM users are global within each account so you don't have to do that and it's far more convenient to use a single IAM user (or role) that has the permission required (read only in this case, it appears).
3. There is no cost difference.

Also: Have you considered using [AWS Config](https://aws.amazon.com/config/) for this? There's nothing wrong with having a script to gather this information; but in large, multi-account environment Config can automatically collect the information you need and you can [query Config](https://docs.aws.amazon.com/config/latest/developerguide/querying-AWS-resources.html) directly.

Answer

I would say to start simple and create a script that accept region and account id as argument. A nice example is this one: https://anandmandilwar.com/2023/06/14/python-boto3-script-to-list-all-the-aws-resources-in-default-vpc-across-all-the-listed-aws-regions/

AWS BOTO3 API: IAM user per region using aws:RequestedRegion global condition key or IAM user per account ?

関連するコンテンツ