-1

We have a master account and a few sub-accounts. I have written a lambda code that is searching for cloud-watch alarms in the master account and sends the details of the alarms to Amazon Chime Webhook.

The current requirement is to use the lambda code to loop through all the accounts and search for respective account's alarms.

Yogi
  • 609
  • 1
  • 8
  • 21
Santosh
  • 1
  • 1

2 Answers2

1

If you only need access to the CloudWatch events/logs you can enable cross account access allowing you to run everything from a monitoring account (recommended for better security) or your master account.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html

If you need access to each account you will need to do the following: - Create IAM role in each account that can be assumed by Lambda in the master account

  • In your lambda your main loop would look something like this. 
for accountId in <list of accounts>
  for region in <region list>
     awsConfig = getAssumeRoleCredtionals(accountId, region)  // This is an AWS.Config
     ec2 = new AWS.EC2(awsConfig)
     results = ec2.describeInstances()
  end for
end for
WaltDe
  • 1,715
  • 8
  • 17
0

You can attach "sts:AssumeRole" permission to the role attached to your lambda function and right your function in such a way so that it use that permission to switch to another accounts.

Below is the link which you might useful to get information how can you switch role:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html

But to get above use case work, you're master account should have role created to switch to another accounts.

Hope below link helps you:

AWS: Boto3: AssumeRole example which includes role usage

Himanshu Mundeepi
  • 129
  • 2
  • 10