- Newest
- Most votes
- Most comments
Currently there is no out of the box integration to centrally pull that off.
One workaround is that you use Lambda functions pulling report through API and storing them either in a DB or a S3 bucket, optionally publish to SNS, and either deploy them into each accounts using IaC tools like CloudFormation, or creating roles and grant permissions to a centralized Lambda in each child account.
You will need to balance ease of making update to your Lambda vs maintaining cross account permissions when decide which approach to take.
I do want to mention you might want to take a step back and see why you want such a report. Have you enabled other tools such as GuardDuty, Detective, Inspector and Security Hub? Those services have integrations with AWS Organizations and can be an important part of a layered approach to security.
Also, check with your account manager and arrange a security review with either your account solutions architect, TAM, or a specialist from AWS.
Relevant content
- asked a year ago
- asked a year ago
- asked 3 months ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
Thanks for your answer, Jason. Security services wise we have relevant services enabled and integrated. What we needed was to have a consolidated list of IAM users/roles/groups and policies with them. I was thinking whether a workaround could be having IAM Access Analyser enabled via Org and then be able to export IAM related findings across all accounts.
It depends on what level of report you are looking for and what resources. For example, IAM Access Analyser only support certain resources such as S3, IAM roles, KMS keys etc. Also it will not give you a complete report as to all the roles, groups, users and policies. That being said, it is a great tool to enable within the AWS Organizations and get insights into some of the key areas you want to understand the access levels.