- 最新
- 最多得票
- 最多評論
UPDATE - specifically regarding KMS Keys - there is no ability to use the kms:ListKeys action from another AWS Account. I'm not aware of anything similar to the IAM credential report for KMS.
The following helps with IAM credentials:
You can generate a credential report for a single AWS account which will list out all credentials in a specific account: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
To do this at scale we have a blog post with corresponding templates to generate this across all your accounts: https://aws.amazon.com/blogs/infrastructure-and-automation/automate-iam-credential-reports-at-scale-across-aws/
This will also include details of when a key was last used – you’re likely also interested in where it was last used. Querying CloudTrail with Athena is a good next step for digging deeper: https://aws.amazon.com/premiumsupport/knowledge-center/athena-tables-search-cloudtrail-logs/
相關內容
- 已提問 6 個月前
AWS 官方已更新 2 年前
Is it possible to have a single master level credential through which we can query the resources of all the child accounts in an AWS Organization account?