Code Monkey home page Code Monkey logo

precon's Introduction

Preconsolidation Script:

This is a simple AWS CLI Shell Script that can be used to get details around below Pre Consolidation Questions for AWS Prospect and Incoming New Customers.

Any Risk Involved in Running this Script in Root Account?

There is zero risk when you check the code all CLI commands are list commands and the script is not doing any modification to any of resources in the AWS Account.

This Script Covers below Pre Consolidation questions:

  1. Customer has AWS Organization enabled?
  2. How many accounts are there in the AWS organization?
  3. Does any account in the AWS Organization has a bill above $50,000 in the last month?
  4. List all the AWS Org services that are enabled in the Master Org Account.
  5. Check and list the workloads running in the customer's master payer account.
  6. What level of AWS Support does the account have?
  7. Check if AWS Identity Center is enabled.
  8. Check for Applied AWS Service Control Policies (SCP).
  9. Check for AWS Marketplace listings.
  10. Check if cost allocation tags are enabled.

Prerequisite to Run This Script:

  1. Script needs to be executed by only the root or admin user only.
  2. Cost explorer should be enabled by customer (If not then do manual pre consolidation)

How to Run this script:

  1. Login to AWS console as root user.

  2. Open AWS Cloud Shell Located at top right.

    Screenshot 2023-11-19 at 6 23 30 PM

  3. Run This Command

    bash <(curl -Ls https://raw.githubusercontent.com/doitintl/precon/main/details.sh)

  4. Email the output if the script to the DOIT Representative.

Sample Output

Standalone AWS Account:

[cloudshell-user@ip-10-130-86-122 ~]$ bash <(curl -Ls https://raw.githubusercontent.com/doitintl/precon/main/details.sh)
Collecting information from AWS...
AWS Organization is not enabled.
Customer does not have AWS Organization and will need a new MPA.
Checking for AWS Identity Center:
No, AWS Identity Center is not enabled.
Checking for AWS SCPs:
An error occurred (AWSOrganizationsNotInUseException) when calling the ListPolicies operation: Your account is not a member of an organization.
Checking for AWS Marketplace listings:
No marketplace listing found.
Checking for cost allocation tags:
Cost allocation tags are not enabled or no tags are set.
Information gathering complete.

AWS Account with Organization Enabled:

Collecting information from AWS...
AWS Organization is enabled.
Number of accounts in the AWS organization:
4
Checking if any account has a bill above 50,000 in the last month:
No account above 50K monthly.
Customer has AWS Organization.
List of enabled AWS Org services:
-------------------------------------
|ListAWSServiceAccessForOrganization|
+-----------------------------------+
|  cloudtrail.amazonaws.com         |
|  config.amazonaws.com             |
|  controltower.amazonaws.com       |
|  securityhub.amazonaws.com        |
|  sso.amazonaws.com                |
+-----------------------------------+
Checking for workloads in the master payer account:
Yes, there are EC2 instances running in the root account.
No workloads detected in the root account.
AWS Support Plan for the account:
The account is likely on the Basic or Developer support plan.
Checking for AWS Identity Center:
No, AWS Identity Center is not enabled.
Checking for AWS SCPs:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|                                                                                                       ListPolicies                                                                                                       |
+--------------------------------------------------------------------------------------------+-------------+----------------------------------------+------------------+------------------------+--------------------------+
|                                             Arn                                            | AwsManaged  |              Description               |       Id         |         Name           |          Type            |
+--------------------------------------------------------------------------------------------+-------------+----------------------------------------+------------------+------------------------+--------------------------+
|  arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess                  |  True       |  Allows access to every operation      |  p-FullAWSAccess |  FullAWSAccess         |  SERVICE_CONTROL_POLICY  |
|  arn:aws:organizations::622636313538:policy/o-k1r3qb8a3c/service_control_policy/p-zzspmted |  False      |  Guardrails applied to an organization |  p-zzspmted      |  aws-guardrails-NwTpKU |  SERVICE_CONTROL_POLICY  |
|  arn:aws:organizations::622636313538:policy/o-k1r3qb8a3c/service_control_policy/p-051g8d1g |  False      |  Guardrails applied to an organization |  p-051g8d1g      |  aws-guardrails-lELuzo |  SERVICE_CONTROL_POLICY  |
|  arn:aws:organizations::622636313538:policy/o-k1r3qb8a3c/service_control_policy/p-f7jg3vc1 |  False      |  Guardrails applied to an organization |  p-f7jg3vc1      |  aws-guardrails-TgTtEc |  SERVICE_CONTROL_POLICY  |
+--------------------------------------------------------------------------------------------+-------------+----------------------------------------+------------------+------------------------+--------------------------+
Checking for AWS Marketplace listings:
No marketplace listing found.
Checking for cost allocation tags:
Cost allocation tags are not enabled or no tags are set.
Information gathering complete.

precon's People

Contributors

piyu200594 avatar

Watchers

Shay Erlichmen avatar avatar avatar

precon's Issues

Script only checks the current region for workloads, assumes management account

Great script! I just saw it used live for the first time today.

There are a few limitations I want to point out.

  • It only checks the current regions for workloads like EC2. This could be a reasonable choice, but it should be made explicit. Maybe add to the Prerequisite section: "Ask the user to run this in their usual region. If they use more than one region, run it once in each"
  • We should not ask them to login as root (against best practice). They should use an admin user and only use root if they have no choice.
  • Add to Prerequisite: This must be run in the management account (if using AWS organization)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.