Skip to content

Instantly share code, notes, and snippets.

@dserodio

dserodio/aws.sh

Last active Sep 16, 2020
Embed
What would you like to do?
AWS snippets
# find the owner of an AWS access key
# https://stackoverflow.com/a/31275655
for user in $(aws iam list-users --output text | awk '{print $NF}'); do
aws iam list-access-keys --user $user --output text
done
# alternative that uses jq(1) insteaed of awk(1)
for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do
aws iam list-access-keys --user $user --output text
done
# check if your Amazon ECS container agent is running the latest version with the introspection API
curl -s 127.0.0.1:51678/v1/metadata | python -mjson.tool
# Find the latest Amazon Linux AMI (change region as needed)
aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --region us-east-1 | jq .
# coding: utf-8
import boto3
s3 = boto3.resource('s3')
for bucket in s3.buckets.all():
acl = bucket.Acl()
for grant in acl.grants:
if (grant['Grantee']['Type'] == 'Group'
and grant['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers'
and grant['Permission'] == 'READ'):
print (bucket.name, "is PUBLIC")
break
else:
print (bucket.name, "is private")
# list instance type offers by availability zone
AZ=${$1:-us-east-1a}
aws ec2 describe-instance-type-offerings --location-type "availability-zone" --filters Name=location,Values=$AZ

IAM Policy to require MFA to assume a role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::132092777689:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
# List RDS events except for "backup" events
# JSON output format:
$ aws rds describe-events --region REGION --source-identifier DATABASE_NAME --source-type db-instance --start-time DATE \
| jq '.Events[] | select(.EventCategories[] | contains("backup") | not)'
# Text output format:
$ aws --region REGION rds describe-events --source-identifier DATABASE_NAME --source-type db-instance --duration 20160 --output text \
| perl -0pe 's/^EVENTS.*?\nEVENTCATEGORIES\sbackup\n//mg'
# List all events for a single DB instance (via https://gist.github.com/HieronyM/149ca010930676b25e6b5b8cb2c9e134)
$ aws \
rds \
describe-events \
--source-identifier db_identifier \
--source-type db-instance \
--start-time $(date -u -d "14 days ago + 5 seconds" '+%FT%T') \
--end-time $(date -u '+%FT%T') \
--query 'Events[*].[Date,Message]' --output text
import boto3
for region in ['sa-east-1', 'us-west-2', 'us-east-1']:
client = boto3.client('rds', region_name=region)
instances = client.describe_db_instances()['DBInstances']
for i in instances:
print('%s\t%s' % (i['DBInstanceIdentifier'], i['StorageEncrypted']))
import boto3
from datetime import datetime, timedelta
regions = ['sa-east-1', 'us-west-2', 'us-east-1']
hour = timedelta(hours=1)
# Based on https://stackoverflow.com/a/41734057/31493
def get_free_storage(instance_id, region):
cloudwatch = boto3.client('cloudwatch', region)
res = cloudwatch.get_metric_statistics(
Namespace='AWS/RDS',
Dimensions=[{'Name': 'DBInstanceIdentifier', 'Value': instance_id}],
MetricName='FreeStorageSpace',
Statistics=['Maximum'],
StartTime=datetime.now() - hour,
EndTime=datetime.now(),
Period=3600
)
return res['Datapoints'][0]['Maximum']
def bytes2gb(bytes):
return bytes / (1024**3)
if __name__ == '__main__':
dbs = {}
for region in regions:
rds = boto3.client('rds', region_name=region)
instances = rds.describe_db_instances()['DBInstances']
for i in instances:
db_id = i['DBInstanceIdentifier']
allocated_bytes = i['AllocatedStorage']
free_bytes = bytes2gb(get_free_storage(db_id, region))
dbs[db_id] = {
'allocated': allocated_bytes,
'free': free_bytes,
'used': allocated_bytes - free_bytes
}
total_gb = 0
for db in dbs.values():
total_gb += db['used']
print(total_gb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.