Does AWS Java SDK have an api that could help me to retrieve list of resources (vpc, dynamodb, volumes, ec2 etc...) for a given AWS account number?
I have gone through AWS Java SDK docs at a higher level but everything is related to one specific AWS client for a given resource.
I would like to have an abstract AWS client so that it could provide me just couple attributes of associated AWS resources to an aws account.
Any help is appreciated. Thanks!!
All AWS API calls are related to specific services. For example, you can request a list of Amazon VPCs, a list of Amazon DynamoDB tables, a list of Amazon EBS volumes -- but each would require a different API call.
Another option would be to use AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
AWS Config can deliver a Configuration Snapshot into an Amazon S3 bucket at regular intervals (eg daily). This snapshot (example) is a JSON file that contains information about VPCs, Amazon EC2 instances and related resources.
However, the configuration snapshot only contains information related to a limited number of services, such as EC2, VPC, Amazon Redshift, Amazon RDS and Amazon S3. (See Supported AWS Resource Types)
Related
I wanted to know if there was a way to track alerts or audit anything that happens with the AWS account like who changed what and why. I did find this https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html where they use a comand line for enabling audit logs on an existing domain: aws opensearch update-domain-config --domain-name my-domain --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-log-group,Enabled=true}" but this is in regard to Amazon OpenSearch Service which I believe is only free for 12 months if you haven't used already. AWS Audit Manager. I am aware there are services that can do this but require a fee and I wanted to know if there were any free options
From the AWS documentation:
With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made by using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address from which the calls were made, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.
AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.
Basically, AWS CloudTrail keeps a log of API calls (requests to AWS to do/change stuff), while AWS Config tracks how individual configurations have changed over time (for a limited range of resources, such as Security Group rule being changed).
Can i connect to different account AWS services(s3, dynamoDb) from my account ec2 using VPC Endpoint?
Amazon S3 and Amazon DynamoDB are accessed on the Internet via API calls.
When a call is made to these services, a set of credentials is provided to identify the account and user.
If you wish to access S3 or DynamoDB resources belonging to a different account, you simply need to use credentials that belong to the target account. The actual request can be made from anywhere on the Internet (eg from Amazon EC2 or from a computer under your desk) — the only things that matters is that you have valid credentials linked to the desired AWS account.
There is no need to manipulate VPC configurations to access resources belonging to a different AWS Account. The source of the request is actually irrelevant.
Can you get the AWS usage report for subdirectory for buckets? I want to know the amount of traffic of all 'GetObject' requests for all subdirectory of S3.
First, remember that there are no "subdirectories" in S3. Everything within a bucket is in a flat index and identified by an object key. However, in the AWS console, objects that contain a shared prefix are represented together in a "folder" named after the shared prefix.
With that in mind, it should be easier to understand why you cannot get an AWS usage report for a specific "subdirectory". The AWS usage report is meant to be an overview of your AWS services and is not meant to be used for more detailed analytics.
Instead there is another AWS service that allows you insight into more detailed analytics for your other AWS services: AWS CloudWatch. With AWS Cloudwatch you can:
Set up daily storage
metrics
Set up request (GET) metrics on a
bucket
And, for your specific case, you can set up request metrics for specific prefixes (subdirectories) within a bucket.
Using request metrics from AWS CloudWatch is a paid service (and another reason why you cannot get detailed request metrics in the AWS usage report).
I built a serverless app on an AWS account (S3, API Gateway, Lambda, DynamoDB, IAM). I need to deploy this on another AWS account that is part of the same AWS organization. Is there a CLI/CloudFormer solution where I can select existing AWS resources and replicate them on different AWS account.
You can use CloudFormation stacks sets: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html But the resources need to be maintained by CloudFormation also in first account.
I am trying to clone my aws account(prod) to another account(test) with all resources and configuration I have set up on prod. Is there any best practice to replicate the aws account to another?
This is not possible.
Nor is there an easy way to list all resources in an AWS account.
Each AWS Service (eg EC2, S3, Lambda) have their own API calls to list resources and describe configurations. There is no universal way to request this information.
Best Practice is to only create resources using AWS CloudFormation templates, thereby having full documentation of resources created and the ability to deploy similar infrastructure in other AWS accounts or regions.
Some third-party services (eg https://www.hava.io/) can extract configuration information and automatically create AWS CloudFormation templates. However, these templates only record the configuration of AWS resources -- they do not replicate the content of storage on disks, Amazon S3 or databases.