Pulling AWS accountID from CloudTrail to use in Lambda function

Question

I'm working to pull the accountID from a newly created AWS account within an organization. I'm using a CloudWatch rule that triggers the lambda function off of the CreateAccountResult event name. Within this event, it gives me the createAccountStatus of "SUCCEEDED" as well as the accountID of the new account.

I want to be able to pull JUST the accountID and insert it into a variable within my lambda function.

This lambda function is being used to create an AWS connector to link the account to Trend Micro. Essentially, what I'm using in this script is:

account = '**accountID**'

payload = "{\n   \"crossAccountRoleArn\": \"arn:aws:iam" + account + ":role/TrendMicroDSM\",\n   \"workspacesEnabled\": true\n}"

I want the account variable to automatically update with the newest account's accountID

Is this even possible?

Sorry, but your question is confusing. Are you asking how to the data from the response from `create_account()`? — John Rotenstein, Jul 11 '20 at 03:09
I guess I'm technically asking 2 questions. First, how can I create a cloudwatch rule that is triggered at the creation of a new account (i may have already accomplished this) that triggers a lambda function? Second, how can I pull the accountID from that new account to populate within my lambda function to link the account to trend? — Justin Lawhorne, Jul 12 '20 at 03:06

score 0 · Answer 1 · answered Jul 11 '20 at 03:11

0

If you are using Python, the create_account() function returns:

{
    'CreateAccountStatus': {
        'Id': 'string',
        'AccountName': 'string',
        'State': 'IN_PROGRESS'|'SUCCEEDED'|'FAILED',
        'RequestedTimestamp': datetime(2015, 1, 1),
        'CompletedTimestamp': datetime(2015, 1, 1),
        'AccountId': 'string',
        'GovCloudAccountId': 'string',
        'FailureReason': 'ACCOUNT_LIMIT_EXCEEDED'|'EMAIL_ALREADY_EXISTS'|'INVALID_ADDRESS'|'INVALID_EMAIL'|'CONCURRENT_ACCOUNT_MODIFICATION'|'INTERNAL_FAILURE'|'GOVCLOUD_ACCOUNT_ALREADY_EXISTS'
    }
}

Therefore, you could simply use:

import boto3

client = boto3.client('organizations')

response = client.create_account(...)

account_id = response['CreateAccountStatus']['AccountId']

answered Jul 11 '20 at 03:11

John Rotenstein

241,921
22
380
470

Is this what I would add to my lambda function as a variable set to populate the accountID? Or is this creating an account and then pulling requested info? Python is very new to me, I'm used to PowerShell, so I apologize – Justin Lawhorne Jul 12 '20 at 03:15
Your question did not mention a programming language. If you have already written code to receive the account creation information, please edit your question to include the code and please clarify what you are trying to do and what exact problem you are facing. – John Rotenstein Jul 12 '20 at 03:35
The language is pyhton. I haven't written code to receive the information, but I have code for linking the account to trend written in python, I put a sample in my post. The code you provided, I'm assuming that will pull the account ID information from the cloudtrail event that triggered the lambda function? So I could add that at the beginning of my lambda function and use the account_id = response['CreateAccountStatus']['AccountId'] as a variable that would add the account ID from the cloudtrail event into the lambda function? – Justin Lawhorne Jul 13 '20 at 11:27
Ah! No, the above code will _create_ the account. If you are receiving a message from CloudTrail, please edit your question to show the format of the data that is being provided. It will arrive in the `event` record within the Lambda function. – John Rotenstein Jul 13 '20 at 11:30
For the script you provided, would that go through each account everytime? How would you single out the new account to only grab that information? – Justin Lawhorne Jul 13 '20 at 11:44
The flow would be: Account is created, then Amazon CloudWatch Events triggers an AWS Lambda function, passing the CloudTrail information via the `event` field. Thus, the Lambda function is _only_ given information from the CloudTrail message. No need to 'single out' any information. I suggest you start by writing an AWS Lambda function that simply does `print(event)` so that you can look in CloudWatch Logs to see what information was received by the function. Then, you can determine how to extract the data you want. – John Rotenstein Jul 13 '20 at 11:46

Pulling AWS accountID from CloudTrail to use in Lambda function

1 Answers1