1

I would like to find out if there is an easy way to find out whether given launch configuration is created using AWS Console or Programmatically?

Usecase:

We are planning to avoid copying/creating launch configuration using AWS-Console, so we would like to implement some alert system if there is any launch configuration created using AWS-Console.

So is there any way we can look at a flag on the launch configuration and differentiate if the launch configuration is created using AWS Console or not?

Cœur
  • 37,241
  • 25
  • 195
  • 267
cnutext
  • 31
  • 2

2 Answers2

0

Quick thought

Approach 1

  1. Revoke permissions to launch configuration from all users with the console access.
  2. Use separate user for the program, who has permission to launch configuration.

Approach 2

Write a program which is monitoring CloutTrail logs. because all the things we do whether via console or API are/can_be logged in CloudTrail

raevilman
  • 3,169
  • 2
  • 17
  • 29
  • Approach 1: yes, but we have some exceptions, not a easy task. Approach 2: for future creations - we can alert using CloudTrial logs, but how to find out existing mess with launch configurations? segregate launch configurations programatically vs aws console. – cnutext Mar 28 '18 at 07:02
  • best and fastest way is to use Athena to analyse logs for `CreateLaunchConfiguration` API calls. – Varun Chandak Mar 28 '18 at 07:17
  • For existing infra, you can also dig in CloudTrail logs, whatever is there. I guess there is no other option. – raevilman Mar 28 '18 at 09:01
  • Yes, looks like, did not find any elegant or easy solution as of now – cnutext Mar 29 '18 at 20:07
0

My suggestion would be: Use only CloudFormation to create the LaunchConfigs and then check for the existence of relevant CF-tags.

Added bonus: you can create a specific role for CF to launch EC2 instances and then revoke all permissions for your users.

Exelian
  • 5,749
  • 1
  • 30
  • 49
  • +1 to use CloudFromation to create new launch configs. But issue here is: how to segregate the existing ones which are already created. – cnutext Mar 29 '18 at 20:06