Skip to content

A tool for customers to evaluate their AWS service configurations based on AWS and community best practices and receive recommendations on potential improvements.

License

Notifications You must be signed in to change notification settings

aws-samples/service-screener-v2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Service Screener

An open source guidance tool for the AWS environment. Click here for sample report.

Disclaimer: The generated report has to be hosted locally and MUST NOT be internet accessible

We hear that current Screener is not compatible for Greater China region. Our community folks has tune and make it works here: https://github.com/lijh-aws-tools/service-screener-cn"

Overview

Service Screener is a tool that runs automated checks on AWS environments and provides recommendations based on AWS and community best practices.

AWS customers can use this tool on their own environments and use the recommendations to improve the Security, Reliability, Operational Excellence, Performance Efficiency and Cost Optimisation at the service level.

This tool aims to complement the AWS Well Architected Tool.

How does it work?

Service Screener uses AWS Cloudshell, a free serivce that provides a browser-based shell to run scripts using the AWS CLI. It runs multiple describe and get API calls to determine the configuration of your environment.

How much does it cost?

Running this tool is free as it is covered under the AWS Free Tier. If you have exceeded the free tier limits, each run will cost less than $0.01.

Prerequisites

  1. Please review the DISCLAIMER before proceeding.
  2. You must have an existing AWS Account.
  3. You must have an IAM User with sufficient read permissions. Here is a sample policy. Additionally, the IAM User must also have the following permissions: a. AWSCloudShellFullAccess b. cloudformation:CreateStack c. cloudformation:DeleteStack

Installing service-screener V2

  1. Log in to your AWS account using the IAM User with sufficient permissions described above.
  2. Launch AWS CloudShell in any region.
Launch AWS Cloudshell Walkthrough

Launch AWS CloudShell

In the AWS CloudShell terminal, run this script this to install the dependencies:

cd /tmp
python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
python3 unzip_botocore_lambda_runtime.py
alias screener="python3 $(pwd)/main.py"
Install Dependecies Walkthrough

Install dependencies

Using Service Screener

When running Service Screener, you will need to specify the regions and services you would like it to run on. It currently supports Amazon Cloudfront, AWS Cloudtrail, Amazon Dynamodb, Amazon EC2, Amazon EFS, Amazon RDS, Amazon EKS, Amazon Elasticache, Amazon Guardduty, AWS IAM, Amazon Opensearch, AWS Lambda, and Amazon S3.

We recommend running it in all regions where you have deployed workloads in. Adjust the code samples below to suit your needs then copy and paste it into Cloudshell to run Service Screener.

Example 1: (Recommended) Run in the Singapore region, check all services with beta features enabled

screener --regions ap-southeast-1 --beta 1

Example 1a: Run in the Singapore region, check all services on stable releases

screener --regions ap-southeast-1

Example 2: Run in the Singapore region, check only Amazon S3

screener --regions ap-southeast-1 --services s3

Example 3: Run in the Singapore & North Virginia regions, check all services

screener --regions ap-southeast-1,us-east-1

Example 4: Run in the Singapore & North Virginia regions, check RDS and IAM

screener --regions ap-southeast-1,us-east-1 --services rds,iam

Example 5: Run in the Singapore region, filter resources based on tags (e.g: Name=env Values=prod and Name=department Values=hr,coe)

screener --regions ap-southeast-1 --tags env=prod%department=hr,coe

Example 6: Run in all regions and all services

screener --regions ALL

Other parameters

# AWS Partner used, migration evaluation id
--others '{"mpe": {"id": "aaaa-1111-cccc"}}'

# To create a workload and a milestone in the Well-Architected Tool
# Set `newMileStone` to 1 to create a milestone each time the Service Screener is run. (Recommended)
# Set `newMileStone` to 0 to create a milestone only once if no milestone has been created.
# Use the existing workload name as `reportName` to update the milestone and track improvements.
--others '{"WA": {"region": "ap-southeast-1", "reportName":"SS_Report", "newMileStone":1}}'

screener --regions ap-southeast-1 --beta 1 --others '{"WA": {"region": "ap-southeast-1", "reportName":"SS_Report", "newMileStone":1}}'

# you can combine both
--others '{"WA": {"region": "ap-southeast-1", "reportName":"SS_Report", "newMileStone":1}, "mpe": {"id": "aaaa-1111-cccc"}}'
Get Report Walkthrough

Get Report

Downloading the report

The output is generated as a ~/service-screener-v2/output.zip file. You can download the file in the CloudShell console by clicking the Download file button under the Actions menu on the top right of the Cloudshell console.

Download Output & Report Viewing Walkthrough

Download Output

Once downloaded, unzip the file and open 'index.html' in your browser. You should see a page like this:

front page

Ensure that you can see the service(s) run on listed on the left pane. You can navigate to the service(s) listed to see detailed findings on each service.

Sample Output Walkthrough

Sample Output

Using the report

The report provides you an easy-to-navigate dashboard of the various best-practice checks that were run.

Use the left navigation bar to explore the checks for each service. Expand each check to read the description, find out which resources were highlighted, and get recommendations on how to remediate the findings.

Besides the HTML report, you can also find two JSON files that record the findings in each AWS account's folder:

  • api-raw.json: Contains the raw findings
  • api-full.json: Contains the full results in JSON format

Contributing to service-screener

We encourage public contributions! Please review CONTRIBUTING for details on our code of conduct and development process.

Contact

Please review CONTRIBUTING to raise any issues.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

About

A tool for customers to evaluate their AWS service configurations based on AWS and community best practices and receive recommendations on potential improvements.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published