🚀 AWS Cloud Asset Inventory Toolkit¶

🎓 Enterprise-Grade Production-Ready Automation for AWS Resource Inventory, Management, and Governance

📖 Overview¶

The AWS Cloud Asset Inventory Toolkit provides comprehensive Python-based automation scripts specifically designed for large-scale, multi-account AWS environments. These scripts simplify asset discovery, compliance audits, security enforcement, workload management, and governance aligned with AWS Cloud Foundation, AWS Well-Architected Framework, CIS Controls, NIST SP 800-53, and ISO 27001 best practices.

This repository adheres strictly to industry-leading DevSecOps principles:

Security First: Zero Trust architecture and secure-by-default scripting.
Automation & Repeatability: Infrastructure-as-Code (IaC) inspired automation and script standardization.
Observability & Auditing: Built-in structured logging and audit trails for governance and compliance visibility.
Scalability & Maintainability: Clearly defined script naming conventions and documentation, designed for future scalability and ease of maintenance.

🗂️ Repository Structure¶

🛠️ AWS Capability Alignment & Available Scripts

Each script aligns to specific AWS Cloud Foundation capabilities and follows a clear naming convention:

<verb>_<domain>_<object>.py

Verb: Action (e.g., list, check, update, enable, enforce, move)
Domain: AWS service/domain (e.g., ec2, iam, cfn, cloudtrail)
Object: Specific resource(s) targeted (e.g., instances, roles, stacks)

🔐 Identity & Access Management¶

Script Name	Description
`list_iam_roles.py`	Lists all IAM roles across AWS accounts.
`list_org_iam_users.py`	Enumerates IAM users across AWS Organizations.
`list_iam_saml_providers.py`	Discovers all configured SAML providers.

📈 Logging & Observability¶

Script Name	Description
`check_cloudtrail_status.py`	Audits CloudTrail enablement status in all regions.
`update_cloudwatch_retention_policy.py`	Updates retention settings across CloudWatch logs.

🛡️ Governance & Compliance¶

Script Name	Description
`check_org_alz_account_prerequisites.py`	Validates ALZ prerequisites for AWS accounts.
`check_org_ct_account_prerequisites.py`	Checks prerequisites for AWS Control Tower adoption.
`draw_org_structure.py`	Generates AWS Org diagrams in Graphviz format.
`list_config_recorders_delivery_channels.py`	Lists AWS Config recorders and delivery channels.
`list_org_accounts.py`	Comprehensive listing of AWS Organization accounts.

🚧 Workload Isolation¶

Script Name	Description
`move_cfn_stackset_instances.py`	Safely migrates CloudFormation stack instances.
`enable_cfn_stackset_drift_detection.py`	Enables drift detection for CloudFormation StackSets.
`list_cfn_orphaned_stacks.py`	Identifies orphaned CloudFormation stacks.

🌐 Network Connectivity¶

Script Name	Description
`list_vpcs.py`	Lists VPCs across accounts and regions.
`list_subnets.py`	Enumerates subnets, searchable by IP.
`find_ec2_security_groups.py`	Finds Security Groups matching criteria.
`find_ec2_network_interfaces.py`	Locates ENIs by IP address.
`list_route53_private_hosted_zones.py`	Lists Route53 private hosted zones.

🔄 Change Management¶

Script Name	Description
`list_cfn_stacks.py`	Enumerates CloudFormation stacks across accounts.

⚙️ Quick Start & Usage Guide¶

✅ Pre-requisites¶

AWS CLI and Python (3.10+) installed
AWS credentials with appropriate permissions (stored securely)
Install required Python packages:
```
pip install -r requirements.txt
```

⚙️ Usage (Running Scripts) 🚀¶

📌 Script Naming Convention

<verb>_<domain>_<object>.py

Example: list_ec2_instances.py

Verb–Domain–Object structure:

Verb = what it does (e.g. list, check, enable, update, move, draw).
Domain = which AWS service or concept (e.g. org, cfn, vpc, cloudtrail).
Object = the resource type or aggregation (e.g. stacksets, accounts, volumes).

Run scripts individually or batch operations:

./inventory_scripts.sh <script_name|all> [parameters]

echo "Execute a specific script:"
./inventory_scripts.sh list_ec2_instances.py -p <profile> -r <region>

echo "Execute all scripts:"
./inventory_scripts.sh all -p <profile>

Logs are stored in structured directories (logs/) with detailed execution summaries.

📃 Common Script Parameters¶

Param	Usage & Description
`-p`	AWS CLI profile (supports fragments)
`-r`	AWS Region (default `us-east-1`; supports `all`)
`-v/-vv/-vvv`	Verbosity Levels (Info, Debug)
`-h`	Help screen (detailed usage per script)
`+delete`	Explicitly required flag for deletion actions

🚩 Security & Operational Guidelines¶

Scripts default to read-only operations unless explicitly stated.
Explicit Actions: Deletion operations require explicit confirmation (+delete parameter) to minimize accidental impact.
Structured logging (JSON format recommended) ensures auditability and traceability + advanced markdown for user-friendly.

📚 References & Documentation¶

AWS Well-Architected Framework
Terraform IaC Documentation
📑 Compliance & Standards Alignment
- CIS AWS Foundations Benchmark
- NIST SP 800-53 Security Controls
- ISO/IEC 27001 Information Security Standards