abiydv/aws-cli-commands.sh

## aws-cli-commands.sh
# List all AWS Org accounts' Id, Name, and Email in a csv format
aws organizations list-accounts --query 'Accounts[].[Id,Name,Email,Status]' | jq -r '["id","name","email","status"], (.[]) | @csv'

# Find all EKS clusters in AWS Org
aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --output text

# Find all EKS cluster AWS Org with name like name_pattern
#  and only display the source account id, the cluster name, and the cluster region

aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --query 'ResourceIdentifiers[?contains(ResourceName,`name_pattern`)].[SourceAccountId,ResourceName,SourceRegion]' --output text

# Find all AWS SSO groups
aws identitystore list-groups --identity-store-id d-12345abcde --output text

# Find all permission set ids in AWS SSO
aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text

# Find all permission set names in AWS SSO
#  permission set name is only available via the describe-permission-set command

aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text > aws-sso-permission-sets.txt

while read ps; do aws sso-admin describe-permission-set --permission-set-arn $ps --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef | jq -r .PermissionSet.Name ; done < aws-sso-permission-sets.txt

# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 1
aws cloudformation describe-stacks  --query 'Stacks[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName'

# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 2
aws cloudformation list-stacks --query 'StackSummaries[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName'

# Create a stackset
#  tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=false --tags file://tags.json

# Create a stackset (with service_managed permissions, from the delegated admin account)
#  tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --call-as DELEGATED_ADMIN --auto-deployment Enabled=false --tags file://tags.json

# Deploy stackset instance to a single account in AWS Org OU with multiple accounts
aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566,OrganizationalUnitIds=ou-12345abcdef,AccountFilterType=INTERSECTION --regions eu-west-1 us-east-1

# Deploy stackset instance (with service_managed permissions, from the delegated admin account) to an OU with multiple accounts
aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets OrganizationalUnitIds=ou-12345abcdef --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1

# Delete a stackset instance (with service_managed permissions, from the delegated admin account) for a suspended AWS account in the Org
aws cloudformation delete-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566 --retain-stacks --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1

# Inspect cloudtrail events uploaded to S3 using jq
#  Filter non-readonly events like CreateTags or DeleteTags, and display eventName, eventSource, userIdentity, and request parameters which includes the resource (ec2/volume etc.) information
aws s3 cp s3://cloudtrail-bucket/112233445566/2023/09/19/ . --exclude "*" --include "*.json.gz" --recursive;
cat 112233445566_CloudTrail_*.json | jq '.Records[] | select((.readOnly==false) and (.eventName | test("^[a-zA-Z]+Tags$")))| "\(.eventSource) \(.eventName) \(.userIdentity.arn) \(.requestParameters)"'

## aws-cli-errors.md

      
    Raw
  

              aws-cli-errors.md
            
          
    Errors


Error: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set

Verify the pre-requisites are met
cli option --call-as DELEGATED_ADMIN is specified, if running from a delegated admin account


Parameter validation failed: Unknown parameter in DeploymentTargets: "AccountFilterType", must be one of: Accounts, AccountsUrl, OrganizationalUnitIds

Upgrade AWS cli
Failed with aws-cli/2.2.26 Python/3.8.8, worked with aws-cli/2.9.0 Python/3.9.11


Parameter validation failed: Unknown parameter in DeploymentTargets: "AccountFilterType", must be one of: Accounts, AccountsUrl, OrganizationalUnitIds

Upgrade AWS cli
Failed with aws-cli/2.2.26 Python/3.8.8, worked with aws-cli/2.9.0 Python/3.9.11


fatal error: An error occurred (404) when calling the HeadObject operation: Key "x/y/z" does not exist when the key exists

cmd: aws s3 cp s3://bucket/x/y/z/ . --exclude "*" --include "*.json"
Missing --recursive flag
	# List all AWS Org accounts' Id, Name, and Email in a csv format
	aws organizations list-accounts --query 'Accounts[].[Id,Name,Email,Status]' \| jq -r '["id","name","email","status"], (.[]) \| @csv'

	# Find all EKS clusters in AWS Org
	aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --output text

	# Find all EKS cluster AWS Org with name like name_pattern
	# and only display the source account id, the cluster name, and the cluster region

	aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --query 'ResourceIdentifiers[?contains(ResourceName,`name_pattern`)].[SourceAccountId,ResourceName,SourceRegion]' --output text

	# Find all AWS SSO groups
	aws identitystore list-groups --identity-store-id d-12345abcde --output text

	# Find all permission set ids in AWS SSO
	aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text

	# Find all permission set names in AWS SSO
	# permission set name is only available via the describe-permission-set command

	aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text > aws-sso-permission-sets.txt

	while read ps; do aws sso-admin describe-permission-set --permission-set-arn $ps --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef \| jq -r .PermissionSet.Name ; done < aws-sso-permission-sets.txt

	# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 1
	aws cloudformation describe-stacks --query 'Stacks[?contains(StackName,`ControlTower`)]' \| jq -r '.[].StackName'

	# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 2
	aws cloudformation list-stacks --query 'StackSummaries[?contains(StackName,`ControlTower`)]' \| jq -r '.[].StackName'

	# Create a stackset
	# tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
	aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=false --tags file://tags.json

	# Create a stackset (with service_managed permissions, from the delegated admin account)
	# tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
	aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --call-as DELEGATED_ADMIN --auto-deployment Enabled=false --tags file://tags.json

	# Deploy stackset instance to a single account in AWS Org OU with multiple accounts
	aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566,OrganizationalUnitIds=ou-12345abcdef,AccountFilterType=INTERSECTION --regions eu-west-1 us-east-1

	# Deploy stackset instance (with service_managed permissions, from the delegated admin account) to an OU with multiple accounts
	aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets OrganizationalUnitIds=ou-12345abcdef --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1

	# Delete a stackset instance (with service_managed permissions, from the delegated admin account) for a suspended AWS account in the Org
	aws cloudformation delete-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566 --retain-stacks --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1

	# Inspect cloudtrail events uploaded to S3 using jq
	# Filter non-readonly events like CreateTags or DeleteTags, and display eventName, eventSource, userIdentity, and request parameters which includes the resource (ec2/volume etc.) information
	aws s3 cp s3://cloudtrail-bucket/112233445566/2023/09/19/ . --exclude "" --include ".json.gz" --recursive;
	cat 112233445566_CloudTrail_*.json \| jq '.Records[] \| select((.readOnly==false) and (.eventName \| test("^[a-zA-Z]+Tags$")))\| "\(.eventSource) \(.eventName) \(.userIdentity.arn) \(.requestParameters)"'