How to list all IAM users in a multi-environment organization from a single server

0

I have created a role and attached it to my EC2 instance to allow the ability to access the IAM users in an environment for reporting purposes. I went this route to prevent the need for storing any AWS credentials in a credential file. Does anyone know if it is possible for the single EC2 host to read all IAM users for multiple environments? We have several environments (prod, dev, security, auditing, etc...), and my goal is to generate a report on all IAM users for all our environments from the single host.

Any information is much appreciated!

2개 답변
0
수락된 답변

If you are operating multiple accounts in an AWS Organization I'd suggest using Config for this because you can easily query Config to see many different types of resources across all account. The resources you can access are listed here and IAM Users are in that list.

That said, you can also do this by running some code. The example below iterates through all accounts in an Organization but you could also pass in a list of account ids instead. I originally wrote this to get a list of VPCs and IP address ranges in each VPC but it is not difficult to modify it to query IAM Users instead.

import boto3
import sys

crossAccountRoleName = 'NetworkRole'
org = boto3.client('organizations')
sts = boto3.client('sts')

def processAccount(ec2, credentials):
    identity = sts.get_caller_identity()

    regionList = ec2.describe_regions()['Regions']
    for region in regionList:
        if credentials:
            ec2Region = boto3.client('ec2',
                                     aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                                     aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                                     aws_session_token=credentials['Credentials']['SessionToken'],
                                     region_name=region['RegionName'])
        else:
            ec2Region = boto3.client('ec2')

        vpcList = ec2Region.describe_vpcs().get('Vpcs', [])
        for vpc in vpcList:
            print(f'{identity["Account"]},{region["RegionName"]},{vpc["VpcId"]},{vpc["CidrBlock"]}')

try:
    orgDetails = org.describe_organization()
except:
    ec2 = boto3.client('ec2')
    processAccount(ec2, None)
    sys.exit(0)

accountPaginator = org.get_paginator('list_accounts')
accountIterator = accountPaginator.paginate()
for object in accountIterator:
    for account in object['Accounts']:
        if account['Id'] == orgDetails['Organization']['MasterAccountId']:
            ec2 = boto3.client('ec2')
            processAccount(ec2, None)
        else:
            targetRoleArn = f'arn:aws:iam::{account["Id"]}:role/{crossAccountRoleName}'
            try:
                credentials = sts.assume_role(RoleArn=targetRoleArn,
                                              RoleSessionName='VPCNetworkScanner')
            except Exception as e:
                print(f'STS assume_role failed: {e} for account {account["Id"]}')
                continue

            ec2 = boto3.client('ec2',
                               aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                               aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                               aws_session_token=credentials['Credentials']['SessionToken'])

            processAccount(ec2, Credentials)
profile pictureAWS
전문가
답변함 10달 전
0

You would need to create cross account roles and then assume the role in each account and query the list of users.

However, what you should be doing is to have all users in one AWS account and manage users from here. This way your problem wouldn’t exist. Users would just assume roles in said accounts.

profile picture
전문가
답변함 10달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠