Just some quick cli commands to help in specific situations
This grabs the max desired capacity in the last 30 days then uses jmespath max
to get the max of the returned time series.
aws cloudwatch get-metric-statistics \
--namespace AWS/AutoScaling \
--metric-name GroupDesiredCapacity \
--statistics Maximum \
--start-time $(date -d"30 days ago" +%s) \
--end-time $(date +%s) \
--period $(($(date +%s)-$(date -d "30 days ago" +%s))) \
--dimensions Name=AutoScalingGroupName,Value=xyz \
--query 'max(Datapoints[].Maximum)'
This is handy when trying to find roles like EKS OIDC in an account
aws iam list-roles \
--query 'Roles[?not_null(AssumeRolePolicyDocument.Statement[].Principal.Federated)].{name: RoleName, conditions: AssumeRolePolicyDocument.Statement[].Principal.Federated}'
aws ec2 describe-instances \
--query 'Reservations[].Instances[?PublicIpAddress!=null].[InstanceId, PublicIpAddress] | [?@[1] != `null`]' \
INSTANCE_ARN=$(aws sso-admin list-instances | jq -r '.Instances[0].InstanceArn')
IDENTITY_STORE_ID=$(aws sso-admin list-instances | jq -r '.Instances[0].IdentityStoreId')
Get all the permission sets
aws sso-admin list-permission-sets --instance-arn $INSTANCE_ARN | jq '.PermissionSets[]' > permission-sets.txt
Describe one perm set
aws sso-admin describe-permission-set --instance-arn $INSTANCE_ARN --permission-set-arn <arn>
Get all of them and define the $PERMISSION_SET_ARN
of the one desired
cat permission-sets.txt | while read permset; do \
aws sso-admin describe-permission-set --instance-arn $INSTANCE_ARN --permission-set-arn $permset;
done;
This will list the associated groups associated to a permission set
aws sso-admin list-account-assignments \
--instance-arn $INSTANCE_ARN \
--permission-set-arn $PERMISSION_SET_ARN \
--account-id <account-id>