- Newest
- Most votes
- Most comments
Hello.
If you use the AWS CLI, you can create a CSV of CloudWatch alarms using the following command.
I think all you have to do is run this for each region or each account.
aws --profile your-env cloudwatch describe-alarms | jq -r '.MetricAlarms[] | [.AlarmName, .Namespace, .Dimensions[0].Name, .Dimensions[0].Value, .MetricName, .Statistic, .Period, .Threshold, .ComparisonOperator, .EvaluationPeriods] | @csv'
For example, if you want to run it for multiple accounts, you can create an access key for each account and separate profiles.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
Run on Linux/Cloudshell
- Configure AWS CLI with a profile in the Management account
- Install JQ
- Update the variable to the role you wish to assume in each account
- Add the regions also to the list where you want to check for alarms
Then run this
#!/bin/bash
#User configurable variables
roletoassume="OrganizationAccountAccessRole"
regions='["eu-west-2","eu-west-1"]'
comdtorun="aws cloudwatch describe-alarms | jq -r '.MetricAlarms[] | [.AlarmName, .Namespace, .Dimensions[0].Name, .Dimensions[0].Value, .MetricName, .Statistic, .Period, .Threshold, .ComparisonOperator, .EvaluationPeriods] | @csv'"
accounts=$(aws organizations list-accounts --query "Accounts[*].Id")
masteraccount=$(aws organizations describe-organization |jq .Organization.MasterAccountId | tr -d '"')
echo $masteraccount
echo $regions | jq .[] | tr -d '"'| while read region;
do
echo $region
eval $comdtorun
done
echo $accounts | jq -c .[]| while read i;
do
account=$(echo $i | tr -d '"')
if [[ "$account" != "$masteraccount" ]]
then
echo $account
sts=$(aws sts assume-role --role-arn arn:aws:iam::${account}:role/${roletoassume} --role-session-name mysession)
var=( $(echo $sts | jq '.[] | .AccessKeyId, .SecretAccessKey, .SessionToken') )
export AWS_ACCESS_KEY_ID=$(echo ${var[0]} | tr -d '"')
export AWS_SECRET_ACCESS_KEY=$(echo ${var[1]} | tr -d '"')
export AWS_SESSION_TOKEN=$(echo ${var[2]} | tr -d '"')
echo $regions | jq .[] | tr -d '"'| while read region;
do
echo $region
eval $comdtorun
done
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
fi
done
Thanks Gary!
On top of above, you could centrally deploy from aws organisation a lambda function on each of your accounts: https://aws.amazon.com/blogs/architecture/using-devops-automation-to-deploy-lambda-apis-across-accounts-and-environments/ and extract the info as mentioned above.
The would be up to you to either send a report or send all data back to a central queue or topic for consolidation.
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 19 days ago
- AWS OFFICIALUpdated 8 days ago
- AWS OFFICIALUpdated 3 months ago
Thank you. It helped me to pull out CloudWatch Alarms with limited information within AWS account. We have more than 100+ AWS accounts within Landing zone and we would need your assistance to run the script and pull CloudWatch Alarms from all the AWS accounts.
Do you have a common role in all the accounts you could use? If so I’d be happy to knock a script up.
If you manage your accounts with AWS Organizations, how about using StackSets to create an IAM role for the switch role in each account? If you can set this up, I think you can solve the problem by creating a shell script that loops the command I shared using a for statement. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html
@Gary Mclean, I do have a common role in all the aws accounts.
@Sathya code added in a new answer.. Enjoy