Grumpy's Cloud Foundation Infra Blog

The Dreaded AWS Inventory Question - Whats Running In My AWS Account?

A Hard Problem.

Grumpy Platform Engineer's photo
Grumpy Platform Engineer
·

4 min read

Table of contents

Introduction

Inevitably anyone with an AWS account is at one time faced with questions of basic visibility such as

  • Which resources (such as IAM roles, EC2 instances, VPCs, Security Groups, etc.) do I have in my AWS account(s)?
  • How do I see all those things at once?
  • How do I manage my inventory?

Those questions arise pretty naturally during the life cycle of any AWS account and developers, operators, security and platform teams need to investigate what's running within the accounts of their platform.

Out of the box there is no (scalable) single source of truth central inventory system on AWS. Period. Manual methods (with limitations, see below) exist but as AWS provides north of 200 services checking each service console (in potentially each region) of every account is hardly a scalable approach.

I've discussed this with many AWS platform owners and it seems that everyone agrees it is an unsolved problem for them. Seemingly most people don't understand why AWS can't solve this by providing a solution on their own.

Please AWS fix this - its all your stuff, how hard can it be to find it?

How Hard Can it Be?

Some have attempted to cook their own (automated) inventory solutions and quite often the solutions I've seen are dubious (at best) and in many areas riddled with problems such as

  • questionable security posture due to
  • access to account(s) and static IAM long term credentials
  • partial visibility (account, certain service, resource type, region, etc.)
  • performance issues at scale due to amount of resources tracked
  • stale or outdated and full of wrong information (manual CMDBs, XLS sheets, etc.)
  • increased costs due to compute and storage resources needs
  • development and maintenance efforts
  • lacking permissions model within the solution
  • complex architecture due to availability requirements
  • how to track ephemeral resources that come and go

The architecture of AWS can be understood as a collection of AWS services (such as S3, IAM, Route53, DynamoDB, etc.) each with their own abstractions, concepts, resource types and interfaces. Each region of AWS has it's own instance and state of the services (some exceptions apply) with specific regional endpoints for APIs, consoles, etc. (switching services and AWS regions in the console again reveals this architecture).

These architectural constraints and the problems outlined in the above list make each of the problems potentially it's own large scale engineering challenge to be solved.

Seems it's a pretty hard to solve problem.

Manual Inventory Checks

For the sake of overview and reference I've included the manual methods here. The following list of methods is not tentative and other solutions exist as well. In this post I'm focusing on "built-ins" that do not require building custom solutions. I'm also ignoring the service specific resource inventories as those are self explanatory but

The Resource Groups Service' Tag Editor Method

By default, the AWS console is organised by region and service as outlined above. The Tag Editor allows you to create a report, or as the documentation calls it "custom console", that provides an overview through consolidated information. Reports can created and filtered based on criteria such as resource type and tags (user and AWS system tags are supported).

You can easily access Tag Editor via the Tag Editor Console. The user interface is self explanatory. Select all regions and all resource types and start the report.

When running the report on a 'fresh' AWS account the query returns quite a number of resources such as the regional default VPCs and default setup for Internet Gateway etc. I do not see the default IAM roles being reported, but that's not too much of a hassle. Generally I'd really like to see them offering the option to suppress resources that are always included (not sure if this actually feasible as there's differences on how accounts get created and what's included).

Imagine one would have to check a couple of dozen accounts which wouldn't be anything out of the ordinary in a production/development/staging and automation account architecture for an typical application.

Limitations

  • Tag Editor console has it's own logic how to query all the service and across all regions (if selected).
  • API and CLI seemingly support only single region (requiring code for the iterating through regional endpoints of the service) as per [API reference]
  • API and CLI seemingly require a Tag Filter to be set and cant use wildcard filters
  • Tag Editor does not support all AWS resource types, see This List of Supported Resources for the details.

Cost and Usage Report/The Billing Console Approach

Another manual approach would be to query the billing console and get an overview of the if resources are running within the account and/or linked accounts in case of a multi-account environment.

Limitations

  • The Billing Console is AWS Organizations aware and supports multiple accounts and consolidates across regions
  • Billing console does not report all AWS resource as a large number of resources is not producing any cost and does not show up due to this fact
  • Billing reporting is delayed up to 24 hours
  • Low visibility in general due to the focus on billing

Did you find this article valuable?

Support Grumpy Platform Engineer by becoming a sponsor. Any amount is appreciated!

AWSinventory#hardproblemdistributed system