AWS Resource Syncing
ConsoleMe learns about the bulk of your AWS resources from AWS Config, but will also attempt to sync IAM roles, SQS queues, SNS topics, and S3 buckets from their respective APIs. If you haven't enabled AWS Config yet, learn how to set it up here. Also, keep in mind that AWS Config is not free. Carefully decide which resource types to record.
Prerequisite
Ensure that you've created identically named roles on each of your accounts (Spoke Roles) for ConsoleMe to assume, and that you've allowed the role ConsoleMe is using (Central Account role) to assume those roles. This spoke role should also exist on the account ConsoleMe is on.
The example configuration below is a powerful one. It tells ConsoleMe which role it should assume on each of your spoke accounts before performing certain actions, such as querying AWS Config or updating policies for resources on the spoke account:
ConsoleMe's Celery Tasks do the bulk of the resource syncing. The Docker-Compose flow defined in the Quick Start guide starts a Celery container, with a worker and a scheduler that will attempt to cache your resources with your existing AWS credentials when ran.
If you need to only manage a subset of roles, you can limit the roles that will be displayed in the /policies
page. You can limit the roles by referencing the tags on the roles and adding them to this configuration in Consoleme:
Note that all tag keys and values must match for a role to be allowed.
You can also allow roles based on a list of tag keys. The role will be allowed if any of the tag keys exist against it.
Alternatively, you can provide an explicit list of roles you want managed by Consoleme by adding this configuration:
By default, all policy types are presented on the /policies
page. However, you can opt-out of caching and presenting policy types using this configuration:
Last updated