AWS Services
This script evaluates workloads across multiple AWS accounts and regions. It calculates workloads for EC2, Lambda, Fargate, ECS, EKS, SageMaker, and LightSail instances, and integrates with CloudWatch for visualization.
Main Features
- Workload evaluation: calculates workloads for various AWS services (EC2, Lambda, ECS, Fargate, SageMaker, and more).
- Cross-Account support: use AWS Organizations or specify multiple accounts manually.
- CloudWatch integration: automatically creates a CloudWatch dashboard for visualizing workload metrics.
- Interactive mode: use the --prompt flag for a user-friendly interactive setup.
- CSV and TXT logging: option to save results to CSV and TXT files.
Requirements
- Python 3.6 or higher.
- boto3, botocore, tqdm Python libraries (installed via requirements.txt).
- AWS CLI configured with valid AWS credentials.
- IAM role (OrganizationAccountAccessRole) set up for cross-account access.
Installation
Clone the repository and install dependencies:
git clone https://github.com/gabrielflorencio/cl0udw4tch3r.git
cd cl0udw4tch3r
pip install -r requirements.txt
IAM Role Configuration
You need to create an IAM role with cross-account access.
- Go to the AWS IAM Console.
- Create a new role called OrganizationAccountAccessRole.
- Use the JSON file for Role policy below to set the permissions policy OrganizationAccountAccessPolicy.
- Attach the trusted entity policy by using the JSON file for Trusted policy below.
Make sure the OrganizationAccountAccessRole role is trusted by the management account and allowed to assume the role in target accounts.
JSON for Role Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"lightsail:GetInstances",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"eks:ListClusters",
"eks:DescribeCluster",
"lambda:ListFunctions",
"sagemaker:ListEndpoints",
"sagemaker:ListDomains",
"cloudwatch:PutMetricData",
"cloudwatch:PutDashboard",
"sts:AssumeRole",
"organizations:ListAccounts",
"organizations:DescribeAccount"
],
"Resource": "*"
}
]
}
JSON for Trusted Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MANAGEMENT_ACCOUNT_ID:user/IAM-User",
"AWS": "arn:aws:iam::MANAGEMENT_ACCOUNT_ID:root",
},
"Action": "sts:AssumeRole"
}
]
}
Usage
You can run the script either in interactive mode or specify flags for the necessary parameters.
Interactive Mode
python3 cl0udw4tch3r-v1.py --prompt
Running with Specified AWS Accounts and Regions
python3 cl0udw4tch3r-v1.py --accounts ACCOUNT_ID_1,ACCOUNT_ID_2 --regions us-east-1,us-west-2
CloudWatch Dashboard Creation
python3 cl0udw4tch3r-v1.py --cw --cw_account CW_ACCOUNT_ID --cw_region us-west-2
Available Flags
--prompt: enables interactive mode for entering accounts, regions, and CloudWatch setup.
--all: uses AWS Organizations to retrieve all active accounts.
--accounts: comma-separated AWS account IDs.
--regions: comma-separated AWS regions to scan.
--csv: creates a CSV file for workload logging.
--csv_name: custom name for the CSV file (default: workloads-evaluation-logs.csv).
--txt: creates a TXT file for workload logging.
--txt_name: custom name for the TXT file (default: workloads-evaluation-logs.txt).
--cw: create a CloudWatch dashboard for workload metrics.
--cw_account: AWS account ID to create the CloudWatch dashboard.
--cw_region: AWS region for the CloudWatch dashboard (default: us-east-1).
--cw_name: custom name for the CloudWatch dashboard (default: WorkloadEvaluationDashboard).
--debug: enable debug logging for troubleshooting.
Example Use Cases
Evaluating All AWS Accounts in an Organization:
python3 cl0udw4tch3r-v1.py --all --csv --csv_name all-accounts-workload.csvRunning Workload Evaluation on Specific Accounts and Creating a CloudWatch Dashboard:
python3 cl0udw4tch3r-v1.py --accounts 123456789001,123456789002 --cw --cw_account 123456789001 --cw_region us-west-2
Demo Output
Evaluating workloads: 100%|█████████████████████████████| 8/8 [00:06<00:00, 6.51s/it]
Found 2 accounts from AWS Organizations.
Active AWS accounts to be evaluated: ['AccountA - Prod', 'Account B - Dev’]
Active AWS regions to be evaluated: [‘us-west-2', ‘us-west-1', 'us-east-1', 'us-east-2']
Final Workload Results: {'EC2Workload': 99, 'LightSailWorkload': 0, 'ECSWorkload': 0, 'EKSWorkload': 0, 'LambdaWorkload’: 1, 'FargateWorkload': 0.0, 'SageMakerWorkload': 0.0}
Total Workload: 100
Publishing metric: EC2Workload, Value: 99 in region us-east-1
Publishing metric: LightSailWorkload, Value: 0 in region us-east-1
Publishing metric: ECSWorkload, Value: 0 in region us-east-1
Publishing metric: EKSWorkload, Value: 0 in region us-east-1
Publishing metric: LambdaWorkload, Value: 1 in region us-east-1
Publishing metric: FargateWorkload, Value: 0.0 in region us-east-1
Publishing metric: SageMakerWorkload, Value: 0.0 in region us-east-1
Publishing metric: TotalWorkload, Value: 100 in region us-east-1
CloudWatch dashboard ‘cw1' created/updated in account 123456789001, region: us-east-1
GitHub Repo - https://github.com/gabrielflorencio/cl0udw4tch3r
Top comments (0)