ip2instance iterates through multiple AWS accounts, assuming IAM Roles in each account using the STS AssumeRole function and fetches information about instances in those accounts.
- That ip2instance be run on an AWS ec2 instance with an IAM role which has rights to assume other roles
- That the list of other roles in various foreign AWS accounts
- have the permission to Describe instances
- allow the role applied to the ec2 instance running ip2instance to assume the target role
Instructions on setting up these roles can be found here : https://github.com/mozilla/security/tree/master/operations/aws-security-auditor
The ip2instance configuration file is located at /etc/ip2instance.yaml . To configure ip2instance create this file and populate it with your role_session_name and roles
The role_session_name is an "identifier for the assumed role session. The session name is included as part of the AssumedRoleUser" according to the AWS Documentation
The roles is a list of ARNs of all IAM Roles in foreign AWS accounts which ip2instance should assume when searching for instances.
Here is an example configuration for two foreign AWS accounts
role_session_name: ip2instance
roles:
- arn:aws:iam::123456789012:role/security-audit-role-SecurityAuditRole-12XHTR13TAWGH # 293989542403 Finance
- arn:aws:iam::345678901234:role/security-audit-role-SecurityAuditRole-FLGUX9CF36X6 # 345678901234 Client Frontend Development Team
ip2instance > instance-list.txt
Here's how to build this into an RPM on a RHEL 6 derivative
sudo yum install http://ftp.linux.ncsu.edu/pub/epel/6/i386/epel-release-6-8.noarch.rpm
sudo yum install rubygems ruby-devel gcc python-setuptools rpm-build
sudo easy_install pip
sudo gem install fpm
git clone https://github.com/gene1wood/ip2instance.git
cd ip2instance # This is required
fpm -s python -t rpm --workdir ../ ./setup.py