How to list all IAM users in a multi-environment organization from a single server

0

I have created a role and attached it to my EC2 instance to allow the ability to access the IAM users in an environment for reporting purposes. I went this route to prevent the need for storing any AWS credentials in a credential file. Does anyone know if it is possible for the single EC2 host to read all IAM users for multiple environments? We have several environments (prod, dev, security, auditing, etc...), and my goal is to generate a report on all IAM users for all our environments from the single host.

Any information is much appreciated!

2 個答案
0
已接受的答案

If you are operating multiple accounts in an AWS Organization I'd suggest using Config for this because you can easily query Config to see many different types of resources across all account. The resources you can access are listed here and IAM Users are in that list.

That said, you can also do this by running some code. The example below iterates through all accounts in an Organization but you could also pass in a list of account ids instead. I originally wrote this to get a list of VPCs and IP address ranges in each VPC but it is not difficult to modify it to query IAM Users instead.

import boto3
import sys

crossAccountRoleName = 'NetworkRole'
org = boto3.client('organizations')
sts = boto3.client('sts')

def processAccount(ec2, credentials):
    identity = sts.get_caller_identity()

    regionList = ec2.describe_regions()['Regions']
    for region in regionList:
        if credentials:
            ec2Region = boto3.client('ec2',
                                     aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                                     aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                                     aws_session_token=credentials['Credentials']['SessionToken'],
                                     region_name=region['RegionName'])
        else:
            ec2Region = boto3.client('ec2')

        vpcList = ec2Region.describe_vpcs().get('Vpcs', [])
        for vpc in vpcList:
            print(f'{identity["Account"]},{region["RegionName"]},{vpc["VpcId"]},{vpc["CidrBlock"]}')

try:
    orgDetails = org.describe_organization()
except:
    ec2 = boto3.client('ec2')
    processAccount(ec2, None)
    sys.exit(0)

accountPaginator = org.get_paginator('list_accounts')
accountIterator = accountPaginator.paginate()
for object in accountIterator:
    for account in object['Accounts']:
        if account['Id'] == orgDetails['Organization']['MasterAccountId']:
            ec2 = boto3.client('ec2')
            processAccount(ec2, None)
        else:
            targetRoleArn = f'arn:aws:iam::{account["Id"]}:role/{crossAccountRoleName}'
            try:
                credentials = sts.assume_role(RoleArn=targetRoleArn,
                                              RoleSessionName='VPCNetworkScanner')
            except Exception as e:
                print(f'STS assume_role failed: {e} for account {account["Id"]}')
                continue

            ec2 = boto3.client('ec2',
                               aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                               aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                               aws_session_token=credentials['Credentials']['SessionToken'])

            processAccount(ec2, Credentials)
profile pictureAWS
專家
已回答 10 個月前
0

You would need to create cross account roles and then assume the role in each account and query the list of users.

However, what you should be doing is to have all users in one AWS account and manage users from here. This way your problem wouldn’t exist. Users would just assume roles in said accounts.

profile picture
專家
已回答 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南