Is there any way to list all the billable resources (basically EC2,EBS,RDS) in an AWS account.Is there any aws-cli command or script available to do so.
I have the aws account root access.
Unfortunately it's not possible to retrieve billing details for AWS resources via AWS CLI directly.
What you can do is store billing reports on S3 and then you can programmatically read and analyze those reports that are generated in CSV format (Billing -> Preferences).
Reference:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-reports.html#turnonreports
Related
How to get the usage metrics of S3.
Currently, IAM users are uploading/downloading files from the S3 bucket. Each IAM user has a separate folder. How to access, how many GB of data were transferred/downloaded from S3?.
You can't. There is no such metric provided by AWS. You have to develop a custom solution for that. If you, for example, have CloudTrial trial enabled for S3 operations, you can parse the past logs and based on them build up a report on who downloaded/upload what. Once you know what objects were uploaded/downloaded by a give IAM user, you can add up their sizes.
I am trying to create a script that will provision QuickSight account and will configure the following parameters:
Subscription type
SPICE Capacity
VPC connection
QuickSight access to AWS services
From the AWS CLI QuickSight documentation I couldn't find a way to create the account, choose subscription type and change SPICE Capacity.
What am I missing?
I believe you are looking for the 'register user' command from the CLI.
https://docs.aws.amazon.com/cli/latest/reference/quicksight/register-user.html
I am wondering if it is possible to see billing information through the Amazon SDK/APIs. Specifically, I want to see how much EC2 instances are costing the account. Is it feasible to have it break down by user if it is an IAM account, or breakdown by account if you are using consolidated billing?
I have seen ways of doing this by either creating an S3 bucket to have billing info dumped into, or using CloudWatch APIs which require the user to pay. Is there an easier way to get EC2 billing information through just API calls or the SDK?
Billing information can be provided as records in an Amazon S3 bucket. You can then analyze the content of those files to obtain the information you list.
It is not possible to obtain the billing records themselves via an API call.
See: Cost and Usage Report
(The older Detailed Billing Report is scheduled to be retired.)
Does AWS Java SDK have an api that could help me to retrieve list of resources (vpc, dynamodb, volumes, ec2 etc...) for a given AWS account number?
I have gone through AWS Java SDK docs at a higher level but everything is related to one specific AWS client for a given resource.
I would like to have an abstract AWS client so that it could provide me just couple attributes of associated AWS resources to an aws account.
Any help is appreciated. Thanks!!
All AWS API calls are related to specific services. For example, you can request a list of Amazon VPCs, a list of Amazon DynamoDB tables, a list of Amazon EBS volumes -- but each would require a different API call.
Another option would be to use AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
AWS Config can deliver a Configuration Snapshot into an Amazon S3 bucket at regular intervals (eg daily). This snapshot (example) is a JSON file that contains information about VPCs, Amazon EC2 instances and related resources.
However, the configuration snapshot only contains information related to a limited number of services, such as EC2, VPC, Amazon Redshift, Amazon RDS and Amazon S3. (See Supported AWS Resource Types)
I am trying to see which user was responsible for changes in S3 (at buckets level).
I could not find a audit trail for actions done at S3 bucket level or EC2 who created instances. Beanstalk has a log of the actions the machine performed, but not which user.
Is there a way around AWS that we can see this information in IAM or any other location ?
P.S: I am not interested to know about S3 log buckets which provide access logs
Update
AWS has just announced AWS CloudTrail, finally making auditing API calls available as of today (and for free), see the introductory post AWS CloudTrail - Capture AWS API Activity for details:
Do you have the need to track the API calls for one or more AWS
accounts? If so, the new AWS CloudTrail service is for you.
Once enabled, AWS CloudTrail records the calls made to the AWS APIs
using the AWS Management Console, the AWS Command Line Interface
(CLI), your own applications, and third-party software and publishes
the resulting log files to the Amazon S3 bucket of your choice.
CloudTrail can also issue a notification to an Amazon SNS topic of
your choice each time a file is published. Each call is logged in JSON
format for easy parsing and processing.
Please note the following (temporary) constraints:
Not all services are covered yet, though the most important ones are included in the initial release already and AWS plans to add support for additional services over time.
Update: AWS has recently added Seven New Services, and another one today, see below.
More importantly, not all regions are supported yet (right now the US East (Northern Virginia), and US West (Oregon) Regions only), though AWS will be adding support for additional Regions as quickly as possible.
Update: AWS has just added More Locations and Services, quickly approaching coverage of their entire Global Infrastructure indeed.
Initial Answer
This is a long standing feature request, but unfortunately AWS does not provide (public) audit trails as of today - the most reasonable way to add this feature would probably be a respective extension to AWS Identity and Access Management (IAM), which is the increasingly ubiquitous authentication and authorization layer for access to AWS resources across all existing (and almost certainly future) Products & Services.
Accordingly there are a few respective answers provided within the IAM FAQs along these lines:
Will AWS Identity and Access Management administrative actions be logged to an audit trail?:
No. This is planned for a future release.
Will user actions in AWS services be logged to an audit trail?
No. This is planned for a future release.
Current pricing for a single CloudTrail is free.
1. Enable CloudTrail
Use the CloudTrail dashboard and send all events to an S3 bucket, e.g. my-cloudtrail
2. Go Through the Results
The CloudTrail dashboard let's you do some cursory searches, but if you have many thousands of events, it's a pain to use.
Let's say I want actions for user foo_user, I just use the CLI tool:
mkdir -p /tmp/cloudtrail
cd /tmp/cloudtrail
aws s3 sync s3://mc10-cloudtrail .
cd AWSLogs
zcat `find . -type f` | jq '.Records[] | "\(.eventName) \(.userIdentity.userName)"' | grep food_user | sort | uniq
Example Output:
"CreateGrant foo_user"
"DescribeInstances foo_user"
"GetConsoleOutput foo_user"
"ModifyInstanceAttribute foo_user"
"StartInstances foo_user"
"StopInstances foo_user"
Note: S3 data events are billed differently in CloutTrail, but this is somewhat redundant, because you can just enable logging on your S3 bucket and grep those logs, or point them at Logstash/Kibana.