Do we have a list of our AWS accounts?
If cloud security had a catchphrase, it might be this: you can’t protect what you don’t know about. For Snowflake’s security team, knowing what we need to protect used to mean maintaining a wiki page with a list of AWS accounts. As our cloud environment grew, that list would lag behind changes to the environment- and those changing parts of our infrastructure tend to be the most at risk.
Having our list of AWS accounts automatically updated would make it a reliable source for knowing at a high level what we’re trying to protect. Having this list in a database would also enable correlations such as:
- Detecting a cloud account that is not shipping activity logs
- Generating an up-to-date list of servers in each account
- Alerting on S3 bucket access by users belonging to accounts that we don’t own
Automatically listing and recording each of our account IDs is straightforward because the company organizes AWS accounts under a single AWS organization. Using the Organizations API and a Lambda function, we fetch a list of our accounts on a daily schedule and insert it into our inventory database.
The short script we use for querying the Organizations API is available as part of our SnowAlert project on GitHub. Once you have your reliable and queryable list of accounts, you’ll have a better picture of what you need to protect and you’ll think of a dozen different ways that this data can help your team day to day.
