I'm managing several AWS organizations, and within each organization, there are multiple member accounts. For example, I want to locate a specific IAM role (like iam-role-abc) or figure out which account has a particular Route 53 hosted zone (like abc.com). Additionally, I want to know the total number of IAM roles in a specific organization. What are some effective ways to search for these resources across different accounts?
6 Answers
Another solid approach is to use AWS Config with data aggregation to a dedicated account. You can then run queries using AWS Athena to analyze the data. Check out the AWS documentation for steps on how to set it up.
We invested in a CMDB tool called CloudAware. It lets us report across multiple clouds and accounts effectively. At first, I thought we wouldn't need it, but it's turned out to be really useful.
Consider using Resource Explorer along with some scripting to loop through your accounts and gather the needed information.
There are various tools available that perform comprehensive inventories like Wiz, Prisma, or CloudHealth. With these, you can easily search for any resource and see its corresponding account without worrying about organizational limits.
AWS Config is an option, but keep in mind you'll need to check each organization separately. If you need to roll up all that data into one central location, it might not be possible with different organizations without some custom setups.
I recommend using Steampipe for this task. It allows you to query AWS resource configurations efficiently. I even created custom zsh functions to speed up searches, like `locate_aws_instance` for finding instances by their ID.
Exactly! Each organization is designed to manage costs separately, which is tricky. If consolidating them isn't feasible, you're looking at running multiple AWS Config queries, one for each organization.