Automate AWS resource assessment
Naveen Suthar, Arun Bagal, Manish Garg, and Sandeep Gawande, Amazon Web Services
Summary
This pattern describes an automated approach for setting up resource assessment capabilities by using the AWS Cloud Development Kit (AWS CDK). By using this pattern, operations teams gather resource auditing details in an automated manner and view the details of all resources deployed in an AWS account on a single dashboard. This is helpful in the following use cases:
- Identifying infrastructure as code (IaC) tools and isolating resources created by different IaC solutions such as HashiCorp Terraform - , AWS CloudFormation, AWS CDK, and AWS Command Line Interface (AWS CLI) 
- Fetching resource-auditing information 
This solution will also help the leadership team obtain insights about the resources and activities in an AWS account from a single dashboard.
| Note: Amazon QuickSight is a paid service. Before running it to analyze data and create a dashboard, review the Amazon QuickSight pricing | 
|---|
Prerequisites and limitations
Prerequisites
- An active AWS account. 
- AWS Identity and Access Management (IAM) roles and permissions with access to provision resources 
- An Amazon QuickSight account created with access to Amazon Simple Storage Service (Amazon S3) and Amazon Athena 
- AWS CDK version 2.55.1 or later installed 
- Python - version 3.9 or later installed 
Limitations
- This solution is deployed to a single AWS account. 
- The solution will not track the events that happened before its deployment unless AWS CloudTrail was already set up and storing data in an S3 bucket. 
Product versions
- AWS CDK version 2.55.1 or later 
- Python version 3.9 or later 
Architecture
Target technology stack
- Amazon Athena 
- AWS CloudTrail 
- AWS Glue 
- AWS Lambda 
- Amazon QuickSight 
- Amazon S3 
Target architecture
The AWS CDK code will deploy all the resources that are required to set up resource-assessment capabilities in an AWS account. The following diagram shows the process of sending CloudTrail logs to AWS Glue, Amazon Athena, and QuickSight.

- CloudTrail sends logs to an S3 bucket for storage. 
- An event notification invokes a Lambda function that processes the logs and generates filtered data. 
- The filtered data is stored in another S3 bucket. 
- An AWS Glue crawler is set up on the filtered data that is in the S3 bucket to create a schema in the AWS Glue Data Catalog table. 
- The filtered data is ready to be queried by Amazon Athena. 
- The queried data is accessed by QuickSight for visualization. 
Automation and scale
- This solution can be scaled from one AWS account to multiple AWS accounts if there is an organization-wide CloudTrail trail in AWS Organizations. By deploying CloudTrail at the organizational level, you can also use this solution to fetch resource-auditing details for all the required resources. 
- This pattern uses AWS serverless resources to deploy the solution. 
Tools
AWS services
- Amazon Athena is an interactive query service that helps you analyze data directly in Amazon S3 by using standard SQL. 
- AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code. 
- AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and AWS Regions. 
- AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account. 
- AWS Glue is a fully managed extract, transform, and load (ETL) service. It helps you reliably categorize, clean, enrich, and move data between data stores and data streams. This pattern uses an AWS Glue crawler and an AWS Glue Data Catalog table. 
- AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. 
- Amazon QuickSight is a cloud-scale business intelligence (BI) service that helps you visualize, analyze, and report your data in a single dashboard. 
- Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. 
Code repository
The code for this pattern is available in the GitHub infrastructure-assessment-iac-automation
The code repository contains the following files and folders:
- libfolder – The AWS CDK construct Python files used to create AWS resources
- src/lambda_code– The Python code that is run in the Lambda function
- requirements.txt– The list of all Python dependencies that must be installed
- cdk.json– The input file to provide values required to spin up resources
Best practices
Set up monitoring and alerting for the Lambda function. For more information, see Monitoring and troubleshooting Lambda functions. For general best practices when working with Lambda functions, see the AWS documentation.
Epics
| Task | Description | Skills required | 
|---|---|---|
| Clone the repo on your local machine. | To clone the repository, run the command  | AWS DevOps, DevOps engineer | 
| Set up the Python virtual environment and install required dependencies. | To set up the Python virtual environment, run the following commands. 
 To set up the required dependencies, run the command  | AWS DevOps, DevOps engineer | 
| Set up the AWS CDK environment and synthesize the AWS CDK code. | 
 | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Export variables for the account and Region where the stack will be deployed. | To provide AWS credentials for AWS CDK by using environment variables, run the following commands. 
 | AWS DevOps, DevOps engineer | 
| Set up the AWS CLI profile. | To set up the AWS CLI profile for the account, follow the instructions in the AWS documentation. | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Deploy resources in the account. | To deploy resources in the AWS account by using AWS CDK, do the following: 
 | AWS DevOps | 
| Run the AWS Glue crawler and create the Data Catalog table. | An AWS Glue crawler is used to keep the data schema dynamic. The solution creates and updates partitions in the AWS Glue Data Catalog table by running the crawler periodically as defined by the AWS Glue crawler scheduler. After the data is available in the output S3 bucket, use the following steps to run the AWS Glue crawler and create the Data Catalog table schema for testing: 
 NoteThe AWS CDK code configures the AWS Glue crawler to run at a particular time, but you can also run it on demand. | AWS DevOps, DevOps engineer | 
| Deploy the QuickSight construct. | 
 | AWS DevOps, DevOps engineer | 
| Create the QuickSight dashboard. | To create the example QuickSight dashboard and analysis, do the following: 
 For more information, see Starting an analysis in Amazon QuickSight and Visual types in Amazon QuickSight. | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Remove the AWS resources. | 
 | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Monitor and clean up manually created resources. | (Optional) If your organization has compliance requirements to create resources using IaC tools, you can achieve compliance by using AWS resource-assessment tool automation to fetch manually provisioned resources. You can also use the tool to import the resources to an IaC tool or to re-create them. To monitor manually provisioned resources, perform the following high-level tasks: 
 | AWS DevOps, DevOps engineer | 
Troubleshooting
| Issue | Solution | 
|---|---|
| AWS CDK returns errors. | For help with AWS CDK issues, see Troubleshooting common AWS CDK issues. | 
Related resources
Additional information
Multiple accounts
To set up the AWS CLI credential for multiple accounts, use AWS profiles. For more information, see the Configure multiple profiles section in Set up the AWS CLI
AWS CDK commands
When working with AWS CDK, keep in mind the following useful commands:
- Lists all stacks in the app - cdk ls
- Emits the synthesized AWS CloudFormation template - cdk synth
- Deploys the stack to your default AWS account and Region - cdk deploy
- Compares the deployed stack with the current state - cdk diff
- Opens the AWS CDK documentation - cdk docs