iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🕌

4 Ways to Search for Resources in Your AWS Account

に公開
AWS
AWS Config
Resource Explorer
Amazon Q
Tag Editor
tech

Hello, I'm Hiraki from CSC!

As AWS environments become more complex and the number of managed resources grows, do you ever find yourself wondering, "Where was that resource?" or "Which account is this setting applied to?"
Especially in a multi-account environment, just finding the target resource can be a challenge.

In this blog post, I have picked four services to perform resource searches in an AWS environment:

  • Tag Editor
  • AWS Resource Explorer
  • AWS Config Advanced Query
  • Amazon Q Developer

I will explain their features, multi-account support, and the types of resources they can search in detail.

Quick Conclusion

Service Name Features Multi-account cross-search Search Targets Main Use Cases
Tag Editor Allows for bulk management and editing of resources based on tags, which is effective for enforcing tagging strategies, but unsuitable for searching for resources without tags. × Resource types that can be used with AWS Resource Groups and Tag Editor - AWS Resource Groups Searching and managing resources based on tags, bulk tag editing
AWS Resource Explorer Enables quick discovery and visualization of resources across multiple accounts, but detailed configuration information must be checked separately. Resource types that can be searched with Resource Explorer - AWS Resource Explorer Broad resource discovery, inventory management, and visualization
AWS Config Advanced Query Allows for the analysis of detailed resource configuration history using SQL-like syntax, powerful for compliance auditing, but requires specialized knowledge to write queries. Resource types supported by AWS Config - AWS Config Searching detailed configuration information, compliance auditing, and security analysis
Amazon Q Developer An AI assistant that provides intuitive resource searching and development support using natural language, but search accuracy depends on the underlying services and has limits for complex condition specifications. △ (Might be possible via CLI depending on credential settings) Resource types that support Cloud Control API - Cloud Control API Natural language resource search, development support, and troubleshooting

1. Tag Editor

Tag Editor is a tool for efficiently managing and searching for tags assigned to AWS resources.
Tags are extremely helpful for classifying and managing resources, and using Tag Editor makes it easy to discover resources based on tags.

However, since it is predicated on the use of tags, you cannot search for resources that do not support tags or those that have not been tagged.

Tag Editor alone does not support searching across multiple accounts.

Tag management is currently being migrated to AWS Resource Explorer. You can search for resources across multiple AWS accounts and regions from AWS Resource Explorer and check their tags.

To edit tags, you must be in the account where the resource resides.

Search Targets

It covers a wide range of taggable AWS resource types, including EC2, S3, RDS, Lambda, and IAM.
You can choose to search for specific resource types or target "All resource types."

The latest and complete list can be found in the following official documentation.

https://docs.aws.amazon.com/ARG/latest/userguide/supported-resources.html

2. AWS Resource Explorer

AWS Resource Explorer is a service that allows you to quickly search and discover resources within your AWS account.
From a single search bar, you can easily find the resources you need using resource types, tags, keywords, and more.

Multi-account cross-search

By integrating with AWS Organizations, it is possible to search for resources across multiple AWS accounts within an organization.
This enables centralized resource management and visualization.

Search Targets

It supports a wide variety of AWS resource types, such as EC2 instances, S3 buckets, DynamoDB tables, and Lambda functions.
The supported services are continuously updated, and the latest and complete list can be found in the following official documentation.

https://docs.aws.amazon.com/resource-explorer/latest/userguide/supported-resource-types.html

The search functionality has also been updated, making it easier to perform multiple searches recently.

https://zenn.dev/khirasan/articles/c9f63e5eb781f0

3. AWS Config Advanced Query

AWS Config is a service that records configuration change history for AWS resources and evaluates configuration compliance.
Using the Advanced Query feature, you can search and analyze resource configuration information in detail using SQL-like syntax.

For example, as shown in the screenshots, if you want to find IAM roles that have AdministratorAccess, you can do so by executing a query statement like the following:

SELECT
  accountId,
  configuration.roleName,
  configuration.attachedManagedPolicies.policyName
WHERE
  resourceType = 'AWS::IAM::Role'
  AND configuration.attachedManagedPolicies.policyName = 'AdministratorAccess'

Multi-account Cross-search

By using a Config aggregator, you can aggregate resource configuration information from multiple AWS accounts, regions, and even the entire organization within AWS Organizations, allowing you to run queries across them from a central account.

The following blog post is very easy to understand:

https://dev.classmethod.jp/articles/advanced-queries-in-aws-config-to-find-resources-in-organizations/

Search Targets

The configuration information of various AWS resources supported by AWS Config is subject to search.
For example, you can retrieve detailed information regarding resource configurations, such as security group settings for EC2 instances, public access settings for S3 buckets, and trust policies for IAM roles.
The latest and complete list can be found in the following official documentation:

https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.html#supported-resource-types-advanced-queries

4. Amazon Q Developer

Amazon Q Developer is an AI assistant designed to help developers ask questions about AWS, generate code, and perform troubleshooting. As part of its features, it can also perform AWS resource searches.

Multi-account Cross-search

This is not possible with the version of Amazon Q Developer built into the Management Console, as it is confined to each individual account.
With the Amazon Q Developer CLI, it might be possible depending on how the credentials are configured.

If you know of a way to achieve this, I would love to hear about it!

Search Targets

There was no precise documentation for the resource search functionality of Amazon Q Developer, but it likely depends on the Cloud Control API (and AWS Resource Explorer if enabled). Therefore, any resource that can be referenced via the Cloud Control API is likely searchable.

https://docs.aws.amazon.com/ja_jp/cloudcontrolapi/latest/userguide/supported-resources.html

Summary

There are many ways to search for resources in an AWS environment, and each service has its own areas of expertise.

By using these tools appropriately, you can significantly improve the efficiency of resource management in your AWS environment.
Please select and utilize the best tool according to your specific use case.

I hope this article is helpful to someone.

Discussion