At AWS, our customer obsession drives us to leave no stone unturned in helping our customers achieve success. Therefore, when a customer finds an interesting way to create valuable functionality using a combination of AWS services, we want to let our other customers know about it so they can also reap the benefits. A great example that we’d like to share is Snap, Inc. creating a cross-account Support case dashboard using the AWS Support API, CloudTrail, Lambda, CloudFormation, and DyanmoDB. This is a great example of what is possible with the Support API and other tools that AWS provides. The cross-account case dashboard allows Snap to see case details across multiple accounts in a single location.
AWS customers open Support cases in order to fix issues, get more information on AWS services and how they can fit into customer solutions, get architecture guidance as they plan applications, and more. For Business and Enterprise Support customers, an unlimited number of users can open an unlimited number of cases. As such, any given customer could have dozens or even hundreds of support cases open at any given time. And that customer may have opened thousands of support cases over the years.
For customers, it can be valuable to have a centralized view of all the cases opened across all of its users. This makes it easier to reference past cases that may be relevant to current questions or issues, to share learnings across cases with others in the organization and improve productivity. Snap found the cross-account insight especially useful as a single dashboard where developers can easily search and discover insights that can be shared across the organization.
For other customers interested in creating a centralized view of Support cases in a multi-account environment, here is how Snap created their own dashboard using a combination of AWS Support API, CloudTrail, Lambda, CloudFormation, IAM, and DynamoDB.
Of course, some initial assembly was required. In order to be able to describe support cases, Snap first created a “GetSupportInfoRole” IAM role within the account with the right permissions. They then granted the ability to assume this IAM role to a central “SupportAggregator” role. Snap also ensured that Enterprise Support was enabled in every account, which is a requirement for advanced support API calls.
Once these prerequisites were fulfilled, Snap launched a CloudFormation stack to create the rest of the pipeline: a “GetSupportInfoRole” IAM role, a central S3 bucket, Lambdas, SNS topics, and a DynamoDB table to store the results. Finally, to react to Support case CloudTrail events, Snap created a multi-region CloudTrail trail in every account in their AWS Organization, and had them all deposit their CloudTrail events to the previously created central S3 bucket. AWS CloudTrail organization trails make setting up these CloudTrails a simple, 5 minute affair.
Snap has shared a sample CloudFormation template that would make this a repeatable process, especially when paired with AWS CloudTrail organization trails. The CloudFormation stack deploys two Lambda functions, which don’t rely on any Snap internal libraries. Check it out here.
Increasingly, customers that manage many accounts for their organization have requested features to manage multi-account management. AWS Support will be implementing these features for customers that make use of AWS Organizations in 2020. Is centralized management of multi-account support cases a challenge you face? Is this centralized dashboard something you think you will get value out of and build for yourself? If so, please comment in the comments section below or create a Github issue here.
About the Authors
Shrikant is a security engineer at Snap Inc on the Infrastructure Security team. He is passionate about cloud security monitoring, cross cloud access patterns and Kubernetes security. He presented at AWS re:Invent 2018 on ‘How Snap Accomplishes Centralized Security and Configuration Governance on AWS. Shrikant can be reached here.
Roger is a software engineer at Snap Inc on the Infrastructure Security team. He is an AWS Certified Solutions Architect – Associate.
He enjoys building platforms for cloud resource monitoring and governance, as well as authentication services. Roger can be reached here.
from AWS Management Tools Blog