This list of helpful GitHub Repos contains both community originating tooling as well as tooling from outside the community that schools have found useful.
awscli-login is a plugin that allows retrieving temporary Amazon credentials by authenticating against a SAML Identity Provider (IdP). Includes support for multiple roles and Duo for MFA.
The assume-role.sh script is an example script that would be used by the Cornell CIT DBA team to exercise those cross-account privileges.
The instance-profile.yaml CloudFormation template was used by the Cornell CIT DBA team to setup the role they use to assume the shib-dba roles in other accounts.
You can use Cornell Shibboleth login for both API and CLI access to AWS. I built docker images that will be maintained by the Cloud Services team that can be used for this and it is as simple as running the following command:
docker run -it --rm -v ~/.aws:/root/.aws dtr.cucloud.net/cs/samlapi
After this command has been run it will prompt you for your netid and password. This will be used to login you into Cornell Shibboleth. You will get a push from DUO. Once you have confirmed the DUO notification, you will be prompted to select the role you wish to use for login, if you have only one role it will choose that automatically. The credentials will be placed in the default credential file (~/.aws/credentials) and can be used as follows:
aws --profile saml s3 ls
Cloud Custodian is a rules engine for AWS fleet management. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Custodian can be used to manage AWS accounts by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, etc) and are constructed from a vocabulary of filters and actions.
It integrates with AWS Lambda and AWS Cloudwatch events to provide for real time enforcement of policies with builtin provisioning of the Lambdas, or as a simple cron job on a server to execute against large existing fleets.
“Engineering the Next Generation of Cloud Governance” by @drewfirment
deployfish
has commands for managing the whole lifecycle of your application:
This project is an example of running RStudio from within a Docker container. In addition to the basic RStudio server, the container also has the knitr and Rmarkdown libraries so it is easy to create nicely formatted output. There is also just enough of TeX to allow knitr to generate PDF output.
This repo is instructions and code for building an AWS lambda function costnotify to send a spending breakdown email to selected recipients for an AWS cloud account. Typically the email subject is "how much did I spend in the past 24 hours" and the email body is further details breaking down cost.