Skip to content

Latest commit

 

History

History
247 lines (140 loc) · 10 KB

README.md

File metadata and controls

247 lines (140 loc) · 10 KB

Contacts Manager

Programmatically manage AWS contacts at the AWS Organizations level

In this repository, we share code for batch management of contacts from your AWS accounts in an AWS Organizations.

This solution was developed thanks to these announcements:

Why this solution was created?

Keeping your contacts updated in your AWS accounts is important for compliance and ensuring that notifications sent by AWS are being sent to the correct recipients. There are 3 main types of contacts to be registered in an AWS account: primary contacts, alternate contacts and the email address of the account's root user.

Alternate contacts for an AWS account allow AWS to contact up to three additional points of contact associated with the account for billing, operations, and security issues. They are in addition to the primary email address associated with the AWS account (root user email). Ensuring they are up to date and properly configured is part of managing a mature AWS environment.

Customers with large numbers of AWS accounts have the challenge to ensure that these contacts are set correctly and not altered. This solution aims to resolve this with automation for managing these different types of contacts in bulk.

Prerequisites

  • Your organization must enable all features to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features, see Enabling all features in your organization.
  • You need to enable trusted access for AWS Account Management service. To set this up, see Enabling trusted access for AWS Account Management.
  • You need the necessary IAM permissions to run the tool. Please, refer to IAM Policy file.

Usage

⚠️ Note: Make sure you will sign-in at the management account of the AWS Organizations or the delegated administrator member account for AWS Organizations.

  1. Choose where you want to run it (CloudShell or Local terminal):

    • CloudShell

      1. Sign-in to you AWS account.

      2. Open CloudShell.

        img

      3. When CloudShell opens, you will run the following command:

        1. Clone the repository.

           git clone https://github.com/aws-samples/contacts-manager.git

        2. Make a clean install.

           python3 -m venv .venv
 source .venv/bin/activate

        3. Install dependencies.

           cd contacts-manager
 sh -e requirements.txt
    • Local terminal (recommended if you will run the Generate contacts report)

      1. Open you local terminal.

      2. Make sure to have AWS CLI and Python3 installed.

        • Checking AWS CLI version (latest version).

           aws --version

        • Checking Python version

            python -V

          or

            python3 -V

      3. Clone the repository.

         git clone https://github.com/aws-samples/contacts-manager.git

      4. Make a clean install.

         python3 -m venv .venv
 source .venv/bin/activate

      5. Install dependencies.

         cd contacts-manager
 sh -e requirements.txt

      6. Sign-in to you AWS account in the local terminal.

        • We recommed to use the credentials from AWS Identity Center (SSO).

          img

        • You can run the following command to check your credentials.

            aws sts get-caller-identity

  2. Run the script.

     python3 script.py

  3. The first step is to choose which contact options you want to interact.

    img

  • Alternate contacts

    1. When selected, choose one of the 3 action options.

      img

    2. Input a list of AWS account IDs separated by comma, the Organization unit ID or all. For the Delete action, for security reasons, it is only allowed to run one AWS account ID at a time. Below are some input examples:

      • all
      • 000000000000,111111111111,222222222222,333333333333
      • 000000000000, 111111111111, 222222222222, 333333333333
      • ou-a0aa-abcdef0g
      • 012345678910 (valid for Delete action)

    3. Choose which type of alternate contact.

      img

    • List action

      1. For List action, there is the option to export the result to an s3 bucket.

        img

      2. Inputting "y" will ask for the name of an S3 bucket to upload. Inputting "n", the result will return on the CloudShell or local terminal screen.

        img

    • Update action

      1. For Update action, it will be required to fill in all the contact fields, you must pay attention to the right pattern. Below are some input examples:

        • Email: example@mail.com

        • Name: My Name

        • Phone number: +5511900002222

        • Title: Technical Account Manager

          img

    • Delete action

      1. For the Delete action, for security reasons, it is only allowed to run one AWS account ID at a time.

        img

  • Primary contacts information

    1. When selected, choose one of the 2 action options

      img

    2. Input a list of AWS account IDs separated by comma, the Organization unit ID or all. For the Delete action, for security reasons, it is only allowed to run one AWS account ID at a time. Below are some input examples:

      • all
      • 000000000000,111111111111,222222222222,333333333333
      • 000000000000, 111111111111, 222222222222, 333333333333
      • ou-a0aa-abcdef0g
      • 012345678910 (valid for Delete action)

    • List action

      1. For List action, there is the option to export the result to an s3 bucket.

        img

      2. Inputting "y" will ask for the name of an S3 bucket to upload. Inputting "n", the result will return on the CloudShell or local terminal screen.

        img

    • Update action

      1. For Update action, it will be required to fill in all the contact fields, you must pay attention to the right pattern.

        img

  • Root email addresses

    1. When selected, choose one of the 2 action options

      img

    2. Input a list of AWS account IDs separated by comma, the Organization unit ID or all. For the Delete action, for security reasons, it is only allowed to run one AWS account ID at a time. Below are some input examples:

      • all
      • 000000000000,111111111111,222222222222,333333333333
      • 000000000000, 111111111111, 222222222222, 333333333333
      • ou-a0aa-abcdef0g
      • 012345678910 (valid for Delete action)

    • List action

      1. For List action, there is the option to export the result to an s3 bucket.

        img

      2. Inputting "y" will ask for the name of an S3 bucket to upload. Inputting "n", the result will return on the CloudShell or local terminal screen.

        img

    • Update action

      1. For Update action, it will be required to fill in all the contact fields. A status prefix of "⟳" (pending) and "✔" (done) will be shown to monitor the status of AWS account changes.

        img

      2. When you select an account, you must add the OTP (One-Time Password). This must be done one account at a time.

        img

      3. Once you update the root email address, the status will be changed to "✔" (done). When all statuses are “checked”, the function will be completed.

        img

  • Generate contacts report

    • When selected, the tool will generate a report with all contacts from all Organizations accounts.
      Note: it will take an average of 4s per account.

      img

  1. [Optional] Remove the tool.

     cd ..
 rm aws-contacts-manager

Feedback

Feedback is always welcome! Please, share you experience, thoughts, feature request: Feedback Survey.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.