AWS Resource Explorer Integration

purpose aws cloud asset inventory is the functionality inside the aws explorer portal that provides visibility across your cloud resources getting started prerequisites the following section describes the prerequisites that must be met to utilize the shi one aws asset integration setup aws explorer to set up aws explorer to pull information from all regions within a single region, you’ll need to configure your aws sdk or cli settings and potentially use programmatic access to retrieve resources from all regions aws explorer, part of the aws toolkit in ides like visual studio, is typically configured for a single region at a time however, pulling information across regions can be achieved by adjusting your approach step by step instructions install aws toolkit for your ide (e g , visual studio) make sure you have installed the aws toolkit in your ide; this will include aws explorer, which allows you to interact with your aws services configure aws credentials configure your aws credentials to allow access to the necessary regions; you can do this via the aws cli, sdk, or within the aws toolkit itself example of configuring credentials via the aws cli aws configure enter your access key, secret key, default region (can be any), and output format modify aws config file to access multiple regions from your local machine, you can configure the / aws/config file to list multiple profiles, each targeting a different region example of / aws/config \[default]region = us west 1 \[profile us west 2] region = us west 2 \[profile eu west 1] region = eu west 1 use aws sdk or cli to query all regions aws explorer does not inherently pull data from all regions at once, so you will need to use either the aws cli, sdk or write a script to loop through all regions to retrieve data from all regions, you can query the describeregions api to dynamically pull a list of available regions, and then loop through them to collect information aws ec2 describe regions query "regions\[] regionname" output text use the result to iterate over regions, fetching the necessary data from each automate multi region resource fetching with a script here’s a basic python example using boto3 (aws sdk for python) to list all ec2 instances across all regions import boto3 # get a list of all available regions ec2 = boto3 client('ec2') regions = \[region\['regionname'] for region in ec2 describe regions()\['regions']] # iterate over each region to fetch information for region in regions print(f"region {region}") ec2 = boto3 client('ec2', region name=region) instances = ec2 describe instances() for reservation in instances\['reservations'] for instance in reservation\['instances'] print(f"instance id {instance\['instanceid']} in {region}") query specific resources aws explorer in ides like visual studio can be limited to a specific region at a time, however by using scripts or automation you can aggregate data from multiple regions; depending on the service you need (e g , ec2, s3, etc ), adapt the query accordingly visualize data in your ide after collecting data programmatically, if you want to visualize it within your ide, consider exporting the results to a file or displaying them within the ide's console important notes cost considerations be mindful of potential costs when pulling data from multiple regions; some services charge based on the number of api requests or the regions accessed permissions ensure your iam role or user has the necessary permissions to access the services across all regions you’re targeting performance pulling data from all regions may take time, especially for services with many resources; consider limiting your queries to specific regions if necessary by configuring your environment with the above steps, you'll be able to gather information across aws regions, even though aws explorer typically limits you to a single region at a time retrieve the amazon resource name and external id to connect to amazon resource explorer (are) and get the amazon resource name (arn) and external id, follow these steps create an iam role for access sign in to the aws management console and open the iam console create a new role go to roles in the left hand navigation pane click create role choose aws service as the trusted entity type and select resource explorer as the service that will use this role click next permissions attach permissions attach the required permissions policies for resource explorer; for basic operations, you might attach policies like amazonresourceexplorerreadonlyaccess or create a custom policy if specific permissions are needed click next tags (optional) to add tags if needed click next review review and create give the role a name (e g , resourceexplorerrole) review the role details and click create role obtain the amazon resource name (arn) find the role arn go back to the roles section in the iam console search for the role you created (e g , resourceexplorerrole) click on the role name to view its details copy the role arn from the summary section; it will look something like arn\ aws\ iam 123456789012\ role/resourceexplorerrole create and get external id the external id is a unique identifier used to provide a way to securely pass a unique identifier to the role's trust policy generate a unique external id decide on a unique external id; it could be a randomly generated string or a meaningful identifier depending on your use case for example, you can use a uuid generator or create a custom string configure the role's trust policy edit the trust policy of the iam role you created to include the external id go to the trust relationships tab for the role click edit trust relationship update the policy to include the external id in the condition section example policy { "version" "2012 10 17", "statement" \[ { "effect" "allow", "principal" { "service" "resource explorer amazonaws com" }, "action" "sts\ assumerole", "condition" { "stringequals" { "sts\ externalid" "your unique external id" } } } ] } replace "your unique external id" with the external id you generated click update trust policy use the arn and external id to connect to resource explorer when configuring amazon resource explorer or related services that require these credentials role arn use the arn you obtained from the iam console external id use the unique external id you created note if you already purchase aws from shi, you can help ensure these prerequisites are met by submitting a service request to “enable aws organizations” note if you already purchase aws from shi, you can help ensure these prerequisites are met by submitting a service request to “enable aws organizations” shi one integration overview once shi one aws resource explorer is enabled, aggregated findings from aws resource explorer will be visible from within shi one our aws resource explorer integration will show your aws cloud assets in the asset inventory enable shi one integration configure the shi one integration sign into shi one ( https //one shi com ) on the lefthand sidebar, navigate to settings > integrations click the three dots in the upper right corner of the aws resource explorer tile if you don’t see aws resource explorer, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one if you don’t see aws resource explorer, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one alternatively, submit a support request via support center > submit request alternatively, submit a support request via support center > submit request click add new populate the form with the rolearn and external id from the previous steps click test click save repeat steps 3 7 until all have been added verify that the slider in the upper right corner of the aws resource explorer tile is orange/activated click on the aws resource explorer tile and verify that each slider is orange/activated note that it takes aws up to 24 hours to start sending data to shi one pricing shi collects data daily from the aws explorer apis there is no cost for querying the aws explorer api troubleshooting if the integration doesn't show up on the integrations page or you are unable to enable it submit a support request as this could potentially be a site wide issue if you have enabled the integration and your data doesn't show up verify that it has been at least 24 hours as collection occurs daily verify that you have deployed a role with the correct permissions as documented re enter your information from your payer account (arn and external id) on the integrations the external id must be the same across all accounts in your organization validate that the requisite configuration as documented has been met if you are missing trusted advisor data in certain accounts make sure each account targeted for trusted advisor has at least business support verify that you have deployed a role with the correct permissions in each account targeted for data collection as documented if you are reporting cost explorer data for only one account re enter your information from your payer account (arn and external id) on the integrations page, which can be found where you launched the cloudformation template for the role all resource explorer information is queried directly from the payer account note if you encounter an issue not addressed within this section, please submit a support request via support center > submit request note if you encounter an issue not addressed within this section, please submit a support request via support center > submit request