How can I get an inventory of my entire AWS environment spanning multiple accounts?

Disclaimer:

• This article is my personal opinion and in not endorsed by AWS
• This article addresses specific use-cases and may not be useful or applicable to everyone, so please don't assume following this article is sufficient
• Any AWS usage charges incurred by following this article is your responsibility

Why this article?

A customer once asked me "How to get inventory of all EC2 instances that have Public IP addresses?". There can be several variations of this question, like "How can I get list of all RDS databases with a specific tag?" or "How can I get a list of all Elastic IPs in my organization that spans thousands of account?"

There are many ways to get this, however I would like to introduce you to AWS Config to gather this info in seconds.

What is AWS Config?

Straight from the AWS documentation :

With AWS Config, you can do the following:

Evaluate your AWS resource configurations for desired settings.

Get a snapshot of the current configurations of the supported resources that are associated with your AWS account.

Retrieve configurations of one or more resources that exist in your account.

Retrieve historical configurations of one or more resources.

Receive a notification whenever a resource is created, modified, or deleted.

View relationships between resources. For example, you might want to find all resources that use a particular security group.

We will answer some of the questions listed above, and in order to answer this we would need AWS Config aggregator configured to give an AWS Organization wide view. If you are already using AWS ControlTower you are in luck because AWS Config aggregator is already setup in "Audit" account.

Assuming you have AWS Config Aggregator setup, navigate to the AWS Config console and go to "Advanced queries". There are several pre canned queries here, pick one that closely matches the need and feel free to edit and run. I am going to show you some examples.

How to use AWS Config to get us what we want?

Q: How can I get a list of all Elastic IPs in my organization that has thousands of account?

Select the advanced query scope to the Config Aggregator and run the following query:

Result would be something like above, you also have an option to export as CSV or JSON for further analytics or reporting.

Q: How can I get list if all RDS databased with a specific tag?

Select the advanced query scope to the Config Aggregator and run the following query:

Q: How can I get inventory of all EC2 instances that have Public IP addresses?

Select the advanced query scope to the Config Aggregator and run the following query:

Summary:

In this post I have shown you how you can quickly audit your AWS environment that can have thousands of account. I also showed you knowing and using the right tool can make your life very easy!