Skip to content

Instantly share code, notes, and snippets.

View atheiman's full-sized avatar
😬

Austin Heiman atheiman

😬
View GitHub Profile
@atheiman
atheiman / ssm-automation-doc.yml
Created November 5, 2024 22:37
SSM automation document to set all EBS volumes attached to a given EC2 instance to delete on instance terminate
description: Set all EBS volumes of an EC2 instance to delete on instance termination
schemaVersion: '0.3'
parameters:
InstanceId:
type: String
AutomationAssumeRole:
type: String
default: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/AWS-SystemsManager-AutomationExecutionRole'
description: >-
(Optional) The ARN of the role that allows Automation to perform the actions on your behalf. If no role is
@atheiman
atheiman / cross-acct-config-evaluation-role.yml
Last active November 1, 2024 14:22
CloudFormation template creating a cross account role assumable by a source arn with permission to submit Config evaluations. Can be deployed as a stackset.
Parameters:
RoleName:
Description: Name of role to be created - this will be suffixed with the region name
Type: String
SourceRoleArn:
Description: Source IAM role ARN to assume the role
Type: String
Resources:
ConfigCrossAcctEvaluationRole:
@atheiman
atheiman / 1-config.tf
Last active December 4, 2024 01:18
AWS Config custom policy rule using Guard to evaluate tag compliance. Deployed as an OrganizationConfigRule w/ Terraform
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
resource "aws_config_organization_custom_policy_rule" "required_tags" {
@atheiman
atheiman / config_tag_compliance.tf
Last active December 4, 2024 01:18
Terraform to deploy a Config custom rule w/ Lambda function to evaluate resource tag compliance
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
data "aws_partition" "current" {}
@atheiman
atheiman / cloudformation-eventbridge-cloudwatch-logs.yml
Created October 17, 2024 21:03
CloudFormation template creating an EventBridge rule to send events to a CloudWatch Logs log group for review.
# aws cloudformation deploy --stack-name LogEvents --template-file ./cloudformation-eventbridge-cloudwatch-logs.yml
#
# Use this EventBridge rule to send events to a CloudWatch Logs log group for review. An example
# use case is to review CloudTrail logs w/ CloudWatch Logs Insights. Recently used this to identify
# service and CloudTrail events from DRS to trigger custom automation (Lambda).
#
# Example CloudWatch Logs Insights query for the log group:
#
# fields @timestamp, @message, `detail-type`, `detail.eventName`
# | filter detail.eventName in ["CreateSourceServerForDrs", "CreateRecoveryInstanceForDrs", "ReverseReplication"]
@atheiman
atheiman / config_aggregator_rule_compliance_query.py
Created October 15, 2024 21:52
Query an AWS Config aggregator for rule compliance and write the results to a CSV file.
import json
import boto3
import botocore
import os
import datetime
import re
import csv
from functools import lru_cache
sts = boto3.client("sts")
@atheiman
atheiman / config_evaluation.py
Last active December 4, 2024 01:19
AWS Config custom rule for resource tag compliance evaluation. Deployed as CloudFormation stacks.
# See documented events sent by Config here: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_example-events.html
#
# It is much easier to write evaluations for rules using ConfigurationItemChangeNotification and
# OversizedConfigurationItemChangeNotification. These notifications include the resource as recorded
# by Config. The Lambda function can review the resource config json and submit an evaluation for
# the resource.
#
# ScheduledNotification events are not specific to a resource, the event only includes
# the account id and rule name. Lambda functions must list all the resources in the account using
# service apis, call the appropriate apis to evaluate the resources config, and then submit
@atheiman
atheiman / docker-image-share.sh
Created May 21, 2024 01:55
Package and share docker image
# Package docker image to .tar.gz to share to another machine
docker pull alpine
docker save alpine | gzip > alpine.tar.gz
# Load docker image from .tar.gz
docker load < alpine.tar.gz
# Show loaded image
docker image ls alpine
# REPOSITORY TAG IMAGE ID CREATED SIZE
@atheiman
atheiman / boto3_all_accounts.py
Last active August 16, 2024 21:15
Run boto3 in a loop across all organization member AWS accounts
import json
import boto3
import os
import traceback as tb
if boto3.session.Session().region_name.startswith("us-gov-"):
partition = "aws-us-gov"
regions = ["us-gov-west-1", "us-gov-east-1"]
else:
partition = "aws"
@atheiman
atheiman / aws_switch_role_bookmark_generator.py
Last active August 5, 2024 17:41
AWS organization switch role (assume role) bookmark generator - outputs html to stdout that can be saved to a .html file and imported into browser bookmarks.
import boto3
import os
# Example usage from a bash shell:
# PREFIX='AWS COMM' AWS_PROFILE=comm-mgmt ROLE_NAME=AWSControlTowerExecution python ./aws_switch_role_bookmark_generator.py > ./aws-switch-role-bookmarks.html
# Environment variables for configuration
role_name = os.environ.get("ROLE_NAME", "OrganizationAccountAccessRole")
include_mgmt = os.environ.get("INCLUDE_MGMT", "true").lower() == "true"
prefix = os.environ.get("PREFIX", "AWS")