AWS Support Cases aggregation for a multi-account organization
This is a simple CloudFormation-based serverless pipeline for collecting support case information from all users across an AWS Organization into a single database.
This allows users to easily discover and monitor all Support Cases within an organization. See our AWS Blog Post for details.
This service uses a Hub (central aggregator account) and Spoke (member accounts) model. The aggregator can be configured in two ways:
-
Aggregator account is AWS Organizations master account
-
Aggregator account is NOT AWS Organizations master account
Ensure you have permissions for creating requisite AWS resources including IAM roles and policies.
-
Create a S3 bucket in your central aggregator account to hold the CloudFormation stack template. Pass the bucket name to the
--cf_s3_bucketparameter of therun_cloudformation.shscript.The CloudFormation stack must be created in the same region as the aforementioned S3 bucket.
-
Choose a free name for your CloudTrail S3 bucket. Pass it to the
--ct_s3_bucketparameter of therun_cloudformation.shscript.Ensure a bucket with the same name does not already exist, or the CloudFormation stack will fail to create.
The CloudFormation stack will handle bucket creation.
-
(Optional) If your aggregator account will not be your AWS Organizations master account:
- Pass the role arn
arn:aws:iam::<ORG MASTER ACCOUNT ID>:role/OrgListAccountsViewerto the--org_roleparameter of therun_cloudformation.shscript.
Note this role can be created in section AWS Organizations Master Account #2
- Pass the role arn
Run the shell script:
./run_cloudformation.sh --profile=<profile_name> --stack_name=<stack name> --cf_region=<cloudformation region> --cf_s3_bucket=<cloudformation s3 bucket> --ct_s3_bucket=<cloudtrail S3 bucket> [--template_file=<template file> --org_role=<org master role>]For instructions on how to set up an AWS command line profile, see the AWS documentation.
You may use any name in the <stack name> parameter (e.g. central-support).
CloudTrail trails from every account you wish to monitor must be deposit their events into the newly created CloudTrail S3 bucket specified in the --ct_s3_bucket parameter above.
If you are using an organization CloudTrail trail, you only need to modify that organization trail S3 bucket location. If not, you must set a CloudTrail trail in every member account you wish to monitor to use the newly created S3 bucket.
Create an IAM role called GetSupportInfoRole in every member account with support: and support:Describe* permissions that trusts the SupportAggregator role in the central aggregator account.
For specific details, follow instructions here.
-
Create an
organization trailin your AWS organizations master account and configure the CloudTrail service to send events to your CloudTrail bucket.For details on organization trails, see the AWS docs on Creating a Trail for an Organization.
Deposit CloudTrail events into the CloudTrail S3 bucket specified in central aggregator prerequisites #2.
You may also configure individual member accounts with CloudTrail trails that send events to the CloudTrail S3 bucket.
-
(Optional) If your aggregator account will not be your AWS Organizations master account:
- Create an IAM Role
OrgListAccountsViewerin the AWS Organizations master account that trusts central aggregator account and has role policy withorganizations:ListAccountsactions. For specific details, follow instructions here.
- Create an IAM Role
This pipeline scans case data from the past 60 days every 3 days. You can configure the scan to get all historical case data by setting get_all_existing_cases(recent_cases_only=False) in support_cases_aggregator.py.
If you do not use AWS Organizations, modify list_account_ids() in support_cases_aggregator.py to return a list of strings of the account ids you want to monitor support cases for.
Copyright (c) 2020 Snap Inc.