How do I identify AWS accounts that make a large number of API calls under my AWS Organizations?

4 minute read
0

I want to identify top talker accounts that make a large number of API calls under my AWS Organizations.

Resolution

To identify the accounts that make a large number of API calls, it's a best practice to use both your Amazon CloudWatch Logs and CloudWatch metrics.

The following resolution uses the Amazon Virtual Private Cloud (Amazon VPC) DescribeVpcEndpoints API.

Note: Amazon Elastic Compute Cloud (Amazon EC2) throttles API requests at the account level. To improve performance, Amazon EC2 also throttles API requests at the organization level.

Use CloudWatch Logs to identify top talkers

To identify top talkers and aggregate the total API calls across all accounts during a specific time window, use CloudWatch Logs. To create a CloudWatch Logs dashboard, complete the following steps:

  1. Create a new AWS CloudTrail trail for your organization or modify an existing trail to publish the trail to CloudWatch Logs.
    Note: You must set CloudWatch Logs to Enabled.
  2. Open the CloudWatch console.
    Note: Use the account that you used to create the CloudWatch Logs.
  3. In the navigation pane, choose Logs, and then select Contributor Insights.
  4. Create a Contributor Insights rule, and then choose Syntax.
  5. To get the number of API calls made by each account, enter the following code in the Syntax editor:
    {
      "AggregateOn": "Count",
      "Contribution": {
        "Filters": [
          {
            "Match": "$.eventName",
            "In": [
              "DescribeVpcEndpoints"
            ]
          }
        ],
        "Keys": [
          "$.userIdentity.accountId",
          "$.eventName"
        ]
      },
      "LogFormat": "JSON",
      "Schema": {
        "Name": "CloudWatchLogRule",
        "Version": 1
      },
      "LogGroupARNs": [
        "arn:aws:logs:us-west-2:account:log-group:aws-cloudtrail-logs-73008ace"
      ]
    }
    To get an aggregate of all API calls across all accounts, enter the following code:
    {
      "AggregateOn": "Count",
      "Contribution": {
        "Filters": [
          {
            "Match": "$.eventName",
            "In": [
              "DescribeVpcEndpoints"
            ]
          }
        ],
        "Keys": [
          "$.eventName"
        ]
      },
      "LogFormat": "JSON",
      "Schema": {
        "Name": "CloudWatchLogRule",
        "Version": 1
      },
      "LogGroupARNs": [
        "arn:aws:logs:us-west-2:account:log-group:aws-cloudtrail-logs-73008ace"
      ]
    }
    Note: Replace DescribeVpcEndpoints with your API call and arn:aws:logs:us-west-2:account:log-group:aws-cloudtrail-logs-73008ace with your log group ARN.
  6. Choose Action, and then choose Add to dashboard.
  7. Select an existing dashboard or create a new one.
  8. Choose Save.

To find the top talkers over a specific time window, you can also run the following CloudWatch Logs Insights query:

fields @timestamp, @message, @logStream, @log 
| filter eventName = 'DescribeVpcEndpoints'
| sort @timestamp desc
| stats count() by bin(1m)

Note: Replace DescribeVpcEndpoints with your API call.

Use CloudWatch metrics to identify top talkers

Note: Make sure that your configuration adheres to the Metrics Insights quotas.

It's a best practice to create a CloudWatch alarm that alerts you when you reach 60% of the maximum quota for API calls.

To set up a CloudWatch metrics dashboard, complete the following steps:

  1. Set up cross-account observability.
  2. Open the CloudWatch console.
  3. Choose Use metrics, and then choose the All metrics tab.
  4. Choose Source, and then enter the following code:
    {
      "metrics": [
        [
          {
            "expression": "SELECT SUM(CallCount) FROM SCHEMA(\"AWS/Usage\", Class,Resource,Service,Type) WHERE Resource = 'DescribeVpcEndpoints'",
            "label": "Query1",
            "id": "q1",
            "period": 60
          }
        ]
      ],
      "view": "timeSeries",
      "stacked": false,
      "region": "us-east-1",
      "stat": "Average",
      "period": 60,
      "annotations": {
        "horizontal": [
          {
            "label": "Org throttle",
            "value": 225
          }
        ]
      }
    }
    Note: Replace DescribeVpcEndpoints with your API call, us-east-1 with your AWS Region, and 225 with the quota for your alarm.
  5. Choose Update.
  6. Choose Action, and then choose Add to dashboard.
  7. Select an existing dashboard or create a new one. It's a best practice to use the same dashboard that has your CloudWatch Logs data.
  8. Choose Save.

Related information

Analyzing AWS CloudTrail in Amazon CloudWatch

AWS PrivateLink quotas

AWS OFFICIAL
AWS OFFICIALUpdated a month ago