By using AWS re:Post, you agree to the Terms of Use

Find AWS account associated with an Elastic IP Address

0

We have several AWS accounts being used by our organization by different teams. Is it possible to trace or find which AWS account is associated with a specific Elastic IP Address?

asked 2 months ago24 views
2 Answers
0

You can use Amazon VPC IP Address Manager (IPAM) to collect information about about IP addresses. I can be integrated with AWS Organizations for an Org wide view of addresses.

answered 2 months ago
0

This is a good example of where a script can make a big job into an easy task.

In short: Iterate through a list of accounts (which can be static or can be part of an Organization); assume a role in each of those accounts (you have to set this up in advance); then call an API to get the information that you need.

Here's some example code in Python. It goes through all accounts in an Organization; if the account isn't in an Organization it only looks at the current account. It's pretty easy to modify to work with a static list of accounts. It also iterates through all regions - that could also be restricted if you're only operating in a single or a few regions.

import boto3

crossAccountRoleName = 'NetworkRole'

org = boto3.client('organizations')
sts = boto3.client('sts')

orgDetails = org.describe_organization()

accountPaginator = org.get_paginator('list_accounts')
accountIterator = accountPaginator.paginate()
for object in accountIterator:
    for account in object['Accounts']:
        if account['Id'] == orgDetails['Organization']['MasterAccountId']:
            ec2 = boto3.client('ec2')
        else:
            targetRoleArn = f'arn:aws:iam::{account["Id"]}:role/{crossAccountRoleName}'
            try:
                credentials = sts.assume_role(RoleArn=targetRoleArn,
                                              RoleSessionName='NetworkInfoGatherer')
            except Exception as e:
                print(f'STS assume_role failed: {e} for account {account["Id"]}')
                continue

            ec2 = boto3.client('ec2',
                               aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                               aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                               aws_session_token=credentials['Credentials']['SessionToken'])

        regionList = ec2.describe_regions()['Regions']
        for region in regionList:
            if account['Id'] == orgDetails['Organization']['MasterAccountId']:
                ec2Region = boto3.client('ec2')
            else:
                ec2Region = boto3.client('ec2',
                                         aws_access_key_id=credentials['Credentials']['AccessKeyId'],
                                         aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
                                         aws_session_token=credentials['Credentials']['SessionToken'],
                                         region_name=region['RegionName'])

            addressList = ec2Region.describe_addresses().get('Addresses', [])
            for address in addressList:
                print(f'{account["Id"]},{region["RegionName"]},{address["PublicIp"]},{address["PrivateIpAddress"]},{address["NetworkInterfaceId"]}')
profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions