Here is a list of tools that make life easier when working with AWS.
It’s forever a work in progress.
Unless otherwise stated, the tool works with AWS directly in some way. Some of the tools are for supporting services such as external identity providers or continuous integration services.
Things I use and recommend
- AWS CLI version 2. I call this out separately from V1 because it’s unfortunately a different installation experience and more difficult to keep updated. There is an ongoing debate on the Github project about how to resolve this. It’s worth installing it just for the built-in SSO login support.
- aws-gate simplifies the use of Session
Manager to use SSH to connect to resource in your VPC without opening any
public access to your network. All the access is proxiewd through AWS APIs and
controlled with IAM permissions. I added the
aws-gate ssh -Loption to make it easy to establish a tunnel to other VPC resources with zero client-side configuration.
- saml2aws automates the single-sign-on process for various third-party SSO providers. I can vouch for its utility in integrating JumpCloud. I improved the JumpCloud experience by making it fail correctly when a 401 response does not prompt for MFA.
- AWS SAM CLI is the best way to deploy CloudFormation stacks, even if you don’t use any of the SAM syntax. The “deploy” command is used instead of the standard CLI’s create-stack and update-stack commands and provides a synchronous experience. The command paints status updates on your resources until the final state of the stack is known. You no longer need to check the CloudFormation console or poll the stack status to know whether your stack deployed properly.
- jccli. A command line client used to administrate the hosted JumpCloud identity provider service. If you need to list users and groups, it might be faster to use this than clicking through the JumpCloud console.
- Pipelines. A local pipeline runner for Bitbucket pipelines. Need to test the setup of CloudFormation stack from scratch in a pipeline? That can consume several of your precious build minutes. Save them by running the pipeline locally before committing wasteful errors.
- clustergit is great for making sure all your git repos are synced to the remotes. You just run clustergit in the parent folder and you get a status report for each repo to show you what you still have to commit. Then it can push everything up in parallel.
- crudini - AWS CLI config files are written in INI file format, so you can use crudini to script changes to them or actions based on them.
- awsls is a simpler way to list the resources of a certain type in an AWS account. Now you don’t have to look up the API call for listing for each resource type, because this tool knows how to do it for you.
- AWS Config Rules Repository are
the conformance pack templates that you can see in the AWS Config console. You
can’t deploy to a an organization using the console. You need to use the CLI.
And so you should clone this repo and pass the local path of your chosen
conformance pack template to the
- AWS Service Matrix shows which services are available in which regions in a relatively easy to read format. Surprisingly few services are available everywhere.
- * MAMIP (Monitor AWS Managed IAM Policies) automates the retrieval of new AWS Managed IAM Policies make it easier to monitor and get alerted when changes occur using “Watch” feature of Github or Twitter Account. * AWS Config Resource Schema property files define the properties and types of the AWS Config resource configuration items (CIs) that are searchable using the SelectResources API. You’ll need to consult this to use AWS Config’s advanced SQL queries. *
Things I haven’t tried yet
- Bees with Machine Guns
- Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
- https://github.com/jckuester/awsweeper, by the author of awsls, for cleaning out an AWS account.
- See also the Terraform Tools list.
- See CloudSecList docs for exmaple of using mkdocs to build a wiki-style website. I’d like my site to look more like that.
- aws-allowlister automatically compiles an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
- aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.
- cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.
- iamlive generates a basic IAM policy from AWS client-side monitoring (CSM)
- mega-linter Mega-Linter is an 100% Open-Source tool for CI/CD workflows that analyzes consistency and quality of different languages and formats.
How to passively discover AWS tools
Subscribe to Corey Quinn’s Last Week in AWS. He shares interesting tools at the end of every newsletter.
Watch Donne Martin’s Awesome AWS repo. It’s basically a community-maintained, all-encompassing version of this page. I don’t intend this page to replicate the breadth of Donne’s list.