Is there a way to determine the Support plan usage level of the organization's sub-accounts?

Question

Hello, we are a company that provides AWS managed services.
We settle customers' expenses based on the CUR information of the organization's root account.

Under current AWS policy, the cost of most services is included in CUR information, but it is difficult to check the cost of support plans above the business level in CUR data.

We want to show our customers the estimated cost of their service plan next month when they are on a business level or higher support plan.

To do this, we need to know what level of support plan the customer is using.
Is there a way to find out which support plan level an organization sub-account uses through the API provided by AWS?

Answer

ATM There seems to be no CLi for checking support levels.

However, using a tip from this SO post https://stackoverflow.com/questions/54730858/can-the-aws-support-plan-be-changed-via-cli-api heres a Bash script you could run from the management account as long as you can assume a common role in each other account.

Requires jq, bash, cli and role in every sub account

```
#!/bin/bash
#User configurable variables
roletoassume="OrganizationAccountAccessRole"

accounts=$(aws organizations list-accounts --query "Accounts[*].Id")
account=$(aws organizations describe-organization |jq .Organization.MasterAccountId | tr -d '"')
masteraccount=$account

SUPPORT_STATUS=$(eval aws support describe-severity-levels --region us-east-1 2>&1)
    if [[ "$SUPPORT_STATUS" == *"SubscriptionRequiredException"* ]]; then
        echo $account,"No Support Enabled for account"
    elif [[ "$SUPPORT_STATUS" == *"AccessDeniedException"* ]]; then
        echo $account,"Access denied or roles not properly setup"
    elif [[ "$SUPPORT_STATUS" == *"critical"* ]]; then
        echo $account,"Enterprise Support already enabled for account..."
    elif [[ "$SUPPORT_STATUS" == *"urgent"* ]]; then
        echo $account,"Only Business Level Support enabled for account..."
    elif [[ "$SUPPORT_STATUS" == *"high"* ]]; then
        echo $account,"Only Developer Level Support enabled for account..."
    fi

echo $accounts | jq -c .[]| while read i;
do
        account=$(echo $i | tr -d '"')
        if [[ "$account" != "$masteraccount" ]]
        then
                sts=$(aws sts assume-role --role-arn arn:aws:iam::${account}:role/${roletoassume} --role-session-name mysession)
                var=( $(echo $sts | jq '.[] | .AccessKeyId, .SecretAccessKey, .SessionToken') )

export AWS_ACCESS_KEY_ID=$(echo ${var[0]} | tr -d '"')
                export AWS_SECRET_ACCESS_KEY=$(echo ${var[1]} | tr -d '"')
                export AWS_SESSION_TOKEN=$(echo ${var[2]} | tr -d '"')

SUPPORT_STATUS=$(eval aws support describe-severity-levels --region us-east-1 2>&1)
                if [[ "$SUPPORT_STATUS" == *"SubscriptionRequiredException"* ]]; then
                        echo $account,"No Support Enabled for account"
                elif [[ "$SUPPORT_STATUS" == *"AccessDeniedException"* ]]; then
                        echo $account,"Access denied or roles not properly setup"
                elif [[ "$SUPPORT_STATUS" == *"critical"* ]]; then
                        echo $account,"Enterprise Support already enabled for account..."
                elif [[ "$SUPPORT_STATUS" == *"urgent"* ]]; then
                        echo $account,"Only Business Level Support enabled for account..."
                elif [[ "$SUPPORT_STATUS" == *"high"* ]]; then
                        echo $account,"Only Developer Level Support enabled for account..."
                fi

unset AWS_ACCESS_KEY_ID
                unset AWS_SECRET_ACCESS_KEY
                unset AWS_SESSION_TOKEN

fi
done
```

Is there a way to determine the Support plan usage level of the organization's sub-accounts?

Conteúdo relevante