こんにちは。AWS CLIが好きな福島です。
はじめに
今回は、Organizations関連の情報を取得する方法をご紹介いたします。
利用するコマンド,サブコマンド
まず、AWS CLIの構造は以下の通りです。
aws <command> <subcommand> [options and parameters]
上記を前提に今回使う <command>,<subcommand>
は、以下の通りです。
<command>
- organizations
<subcommand>
- describe-organization
Organizationsの基本情報を出力します。 - list-accounts
Organizationsで管理しているAWSアカウント一覧を出力します。 - list-roots
Rootの情報を出力します。 - list-organizational-units-for-parent
OUの情報を出力します。 - list-policies
SCPの基本情報を出力します。 - describe-policy
SCPの詳細情報を出力します。 - list-delegated-administrators
サービスを委任しているAWSアカウントを出力します。 - list-delegated-services-for-account 委任しているサービス情報を出力します。
では、ここから実際のコマンドを記載いたします。
Organizations周り
describe-organization
①OrganizationsID,機能セット,AWSアカウントID,メールアドレス
- 実行コマンド
aws organizations describe-organization --query "Organization.[Id,FeatureSet,MasterAccountId,MasterAccountEmail]" --output text
- 実行結果
o-xxxxxxxxx ALL 111111111111 hoge@gmail.com
アカウント関連
list-accounts
①AWSアカウント名,ID,ステータス
- 実行コマンド
aws organizations list-accounts --query "Accounts[].[Name,Id,Status]" --output text
- 実行結果
Log 111111111111 ACTIVE Audit 222222222222 ACTIVE
②①+Eメール
- 実行コマンド
aws organizations list-accounts --query "Accounts[].[Name,Id,Status,Email]" --output text
- 実行結果
Log 111111111111 ACTIVE hoge@gmail.com Audit 222222222222 ACTIVE hoge@gmail.com
③①+Organizationsに加入した方法,加入日
- 実行コマンド
aws organizations list-accounts --query "Accounts[].[Name,Id,Status,JoinedMethod,JoinedTimestamp]" --output text
- 実行結果
Log 111111111111 ACTIVE CREATED 2019-10-16T00:29:18.833000+09:00 Audit 222222222222 ACTIVE CREATED 2019-10-16T00:29:18.833000+09:00
④①~③全て
- 実行コマンド
aws organizations list-accounts --query "Accounts[].[Name,Id,Status,Email,JoinedMethod,JoinedTimestamp]" --output text
- 実行結果
Log 111111111111 ACTIVE hoge@gmail.com CREATED 2019-10-16T00:29:18.833000+09:00 Audit 222222222222 ACTIVE hoge@gmail.com CREATED 2019-10-16T00:29:18.833000+09:00
OU関連
list-roots
①Rootの名前,ID
- 実行コマンド
aws organizations list-roots --query "Roots[].[Name,Id]" --output text
- 実行結果
Root r-xxxx
②①+有効にしているポリシー一覧
- 実行コマンド
aws organizations list-roots --query "Roots[].[Name,Id,PolicyTypes[].[Type,Status]]" --output text
- 実行結果
Root r-xxxxx TAG_POLICY ENABLED SERVICE_CONTROL_POLICY ENABLED
list-organizational-units-for-parent
①Root配下のOU一覧
- 実行コマンド
aws organizations list-organizational-units-for-parent \ --parent-id $(aws organizations list-roots --query "Roots[].Id" --output text) \ --query "OrganizationalUnits[].[Name,Id]" --output text
- 実行結果
test_ou_1 ou-xxxxxxxxxxxxx test_ou_2 ou-xxxxxxxxxxxxx test_ou_3 ou-xxxxxxxxxxxxx
②OU構成一覧(5階層まで)
- 実行コマンド
root_name_id=$(aws organizations list-roots --query "Roots[].[Name,Id]" --output text | tr "\t" ",");\ echo "1_${root_name_id}" > /tmp/awscli.tmp ;\ root_id=$(echo $root_name_id | awk -F, '{print $2}') ;\ aws organizations list-organizational-units-for-parent \ --parent-id ${root_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_1 do echo "└2_${ou_name_id_1}" ou_id=$(echo $ou_name_id_1 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_2 do echo " └3_${ou_name_id_2}" ou_id=$(echo $ou_name_id_2 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_3 do echo " └4_$ou_name_id_3" ou_id=$(echo $ou_name_id_3 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_4 do echo " └5_$ou_name_id_4" done done done done >> /tmp/awscli.tmp ;\ column -s, -t /tmp/awscli.tmp ;\ rm /tmp/awscli.tmp
- 実行結果
1_Root r-xxxx └2_test_ou_1 ou-xxxxxxxxxxxxx └2_test_ou_2 ou-xxxxxxxxxxxxx └3_test_ou_21 ou-xxxxxxxxxxxxx └4_test_ou_211 ou-xxxxxxxxxxxxx └5_test_ou_21111 ou-xxxxxxxxxxxxx └2_Core ou-xxxxxxxxxxxxx └2_test_ou_3 ou-xxxxxxxxxxxxx └3_test_ou_31 ou-xxxxxxxxxxxxx
list-policies
①SCP名,ID
- 実行コマンド
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query "Policies[].[Name,Id]" --output text
- 実行結果
FullAWSAccess p-FullAWSAccess development_group p-xxxxxxxx PublicIP_NG p-xxxxxxxx builder-policy p-xxxxxxxx ec2-OK p-xxxxxxxx deny-ce p-xxxxxxxx EC2-deny p-xxxxxxxx NoPublicIP_V2 p-xxxxxxxx Deny-EC2-PublicIP-Policy p-xxxxxxxx
②①+説明
- 実行コマンド
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query "Policies[].[Name,Id,Description]" --output text
- 実行結果
FullAWSAccess p-FullAWSAccess Allows access to every operation development_group p-xxxxxxxx development_group PublicIP_NG p-xxxxxxxx builder-policy p-xxxxxxxx builder-policy ec2-OK p-xxxxxxxx ec2-OK deny-ce p-xxxxxxxx EC2-deny p-xxxxxxxx EC2-deny NoPublicIP_V2 p-xxxxxxxx Deny-EC2-PublicIP-Policy p-xxxxxxxx
describe-policy
①SCPのポリシー一覧
- 実行コマンド
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query "Policies[].[Name,Id]" --output text | while read line do echo $line aws organizations describe-policy --policy-id $(echo $line | awk '{print $2}') \ --query "Policy.Content" \ | sed -e 's/\\n//g' -e 's/\\//g' -e s/^\"//g -e 's/\"$//g'| jq done
- 実行結果
FullAWSAccess p-FullAWSAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } development_group p-q0kd39r4 { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": [ "*" ] } ] }
②OUにアタッチされたポリシー一覧
- 実行コマンド
root_name_id=$(aws organizations list-roots --query "Roots[].[Name,Id]" --output text | tr "\t" "?");\ echo "1_${root_name_id} " | tr "\n" " " > /tmp/awscli.tmp ;\ root_id=$(echo $root_name_id | awk -F? '{print $2}') ;\ echo $(aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ${root_id} --query "Policies[].Name" --output text | tr "\t" ",") >> /tmp/awscli.tmp ;\ aws organizations list-organizational-units-for-parent --parent-id ${root_id} --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "?" | while read ou_name_id_1 do echo "└2_${ou_name_id_1}" | tr "\n" " " ou_id=$(echo $ou_name_id_1 | awk -F? '{print $2}') echo $(aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ${ou_id} --query "Policies[].Name" --output text | tr "\t" ",") aws organizations list-organizational-units-for-parent --parent-id ${ou_id} --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "?" | while read ou_name_id_2 do echo " └3_${ou_name_id_2}" | tr "\n" " " ou_id=$(echo $ou_name_id_2 | awk -F? '{print $2}') echo $(aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ${ou_id} --query "Policies[].Name" --output text | tr "\t" ",") aws organizations list-organizational-units-for-parent --parent-id ${ou_id} --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "?" | while read ou_name_id_3 do echo " └4_$ou_name_id_3" | tr "\n" " " ou_id=$(echo $ou_name_id_3 | awk -F? '{print $2}') echo $(aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ${ou_id} --query "Policies[].Name" --output text | tr "\t" ",") aws organizations list-organizational-units-for-parent --parent-id ${ou_id} --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "?" | while read ou_name_id_4 do echo " └5_$ou_name_id_4" | tr "\n" " " ou_id=$(echo $ou_name_id_4 | awk -F? '{print $2}') echo $(aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ${ou_id} --query "Policies[].Name" --output text | tr "\t" ",") done done done done >> /tmp/awscli.tmp ;\ column -s? -t /tmp/awscli.tmp ;\ rm /tmp/awscli.tmp
- 実行結果
1_Root r-xxxx FullAWSAccess,EC2-deny,Deny-EC2-PublicIP-Policy └2_test_ou_1 ou-xxxx-xxxxxxx FullAWSAccess └2_test_ou_2 ou-xxxx-xxxxxxx FullAWSAccess,builder-policy,deny-ce └3_test_ou_21 ou-xxxx-xxxxxxx PublicIP_NG,FullAWSAccess,NoPublicIP_V2 └4_test_ou_211 ou-xxxx-xxxxxxx FullAWSAccess,EC2-deny,Deny-EC2-PublicIP-Policy └5_test_ou_21111 ou-xxxx-xxxxxxx FullAWSAccess,EC2-deny,Deny-EC2-PublicIP-Policy └2_Core ou-xxxx-xxxxxxx FullAWSAccess └2_test_ou_3 ou-xxxx-xxxxxxx FullAWSAccess └3_test_ou_31 ou-xxxx-xxxxxxx FullAWSAccess
③OUに所属するアカウント一覧
- 実行コマンド
root_name_id=$(aws organizations list-roots --query "Roots[].[Name,Id]" --output text | tr "\t" ",");\ echo "1_${root_name_id}" > /tmp/awscli.tmp ;\ aws organizations list-accounts-for-parent --parent-id ${root_name_id#*,} --query "Accounts[].[Name,Id]" --output text >> /tmp/awscli.tmp ;\ root_id=$(echo $root_name_id | awk -F, '{print $2}') ;\ aws organizations list-organizational-units-for-parent \ --parent-id ${root_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_1 do echo "└2_${ou_name_id_1}" aws organizations list-accounts-for-parent --parent-id ${ou_name_id_1#*,} --query "Accounts[].[Name,Id]" --output text | sort ou_id=$(echo $ou_name_id_1 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_2 do echo " └3_${ou_name_id_2}" aws organizations list-accounts-for-parent --parent-id ${ou_name_id_2#*,} --query "Accounts[].[Name,Id]" --output text | sort ou_id=$(echo $ou_name_id_2 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_3 do echo " └4_$ou_name_id_3" aws organizations list-accounts-for-parent --parent-id ${ou_name_id_3#*,} --query "Accounts[].[Name,Id]" --output text | sort ou_id=$(echo $ou_name_id_3 | awk -F, '{print $2}') aws organizations list-organizational-units-for-parent \ --parent-id ${ou_id} \ --query "OrganizationalUnits[].[Name,Id]" --output text | tr "\t" "," | while read ou_name_id_4 do echo " └5_$ou_name_id_4" aws organizations list-accounts-for-parent --parent-id ${ou_name_id_4#*,} --query "Accounts[].[Name,Id]" --output text | sort done done done done >> /tmp/awscli.tmp ;\ column -s, -t /tmp/awscli.tmp ;\ rm /tmp/awscli.tmp
- 実行結果
1_Root r-xxxx └2_Foundation ou-xxxx-xxxxxxx Audit 111111111111 Log 22222222222 └3_Custom ou-xxxx-xxxxxxx Security 333333333333
④AWSアカウントにアタッチされたSCP一覧
- 実行コマンド
aws organizations list-accounts --query "Accounts[].[Name,Id]" --output text | tr "\t" ":" | while read line do echo $line;aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY \ --target-id $(echo $line | awk -F: '{print $2}') \ --query "Policies[].Name" --output text done
- 実行結果
Audit:111111111111 FullAWSAccess Log:22222222222 FullAWSAccess
委任関連
list-delegated-administrators
①サービスを委任しているアカウント一覧
- 実行コマンド
aws organizations list-delegated-administrators --query "DelegatedAdministrators[].[Name,Id]" --output text
- 実行結果
Audit 111111111111
list-delegated-services-for-account
①委任しているサービス一覧
- 実行コマンド
aws organizations list-delegated-administrators --query "DelegatedAdministrators[].[Name,Id]" --output text | while read line do echo $line aws organizations list-delegated-services-for-account --account-id $(echo $line | awk '{print $2}') \ --query "DelegatedServices[].[ServicePrincipal,DelegationEnabledDate]" --output text done
- 実行結果
Audit 111111111111 config.amazonaws.com 2021-09-30T17:14:07.982000+09:00 guardduty.amazonaws.com 2020-09-08T17:52:41.815000+09:00 macie.amazonaws.com 2021-05-13T17:42:49.722000+09:00 securityhub.amazonaws.com 2020-12-04T12:28:27.538000+09:00
終わりに
今回は、Organizations関連の情報を取得するコマンドをご紹介いたしました。 どなたかのお役に立てれば幸いです。
福島 和弥 (記事一覧)
2019/10 入社
AWS CLIが好きです。
AWS資格12冠。2023 Japan AWS Partner Ambassador/APN ALL AWS Certifications Engineer。