AWS Inventory & Compliance Framework
Antiope (PRONO An-Tie-Oh-Pee) is intended to be an open sourced framework for managing resources across hundreds of AWS Accounts. From a trusted Security Account, Antiope will leverage Cross Account Assume Roles to gather up resource data and store them in an inventory bucket. This bucket can then be index by ELK or your SEIM of choice to provide easy searching of resources across hundreds of AWS accounts.
Antiope is given a list of AWS Organizational parent accounts, and will inventory all of the AWS accounts under those parents. For each of the parent & child accounts it will then gather:
- S3 Buckets, and associated attributes of the bucket
- VPCs, and the number of EC2 Instances in each VPC
- Route53 Hosted Zones
- Route53 Registered Domains
- EC2 Instances
- EC2 Security Groups
- IAM Users
- IAM Roles (and the AWS accounts that are trusted by the roles)
- All Elastic Network Interfaces (ENIs) in each VPC, and any PublicIP addresses associated to the ENIs
- Personal Health Data events for each account.
All resources are dropped as individual json files into the S3 Bucket of your choosing under /Resources/<type>-<resource_id>.json
Future things to collect:
- RDS Databases
- DirectConnect & VPN Connections
- CloudFormation Stacks & Templates
/Resources/ - All the json files generated by the Inventory Phase /Health/ - All the Personal Health Events /lambda-packages/ - location of the zip files hosting the lambda
Most resources use the normal resource prefix (vpc- for VPC, i- for Instances, etc). Where the unique identifier for the resource didn't have a prefix, or where the resource name can be duplicated across accounts, Antiope prepends a resource prefix. The following prefixes are inventoried:
- bucket
- domain - Domains Registered via Route53 Domains. Each domain is globally unique, so AWS accounts aren't part of the object key
- hostedzone - Domains hosted in Route53. There can be multiple hosted zones with the same domain name, so the HostedZone ID is used
- role - IAM Roles. These are not globally unique, so the account_id is part of the object name
- user - IAM Users. These are not globally unique, so the account_id is part of the object name