An open source guidance tool for AWS environments.

Service Screener is an open source tool that runs automated checks on AWS environments and provide recommendations based on the AWS Well Architected Framework.

AWS customers can use this tool on their own environments and use the recommendations to improve the Security, Reliability, Operational Excellence, Performance Efficiency and Cost Optimisation of their workloads.

This tool aims to complement the AWS Well Architected Tool.

Service Screener uses AWS Cloudshell, a free serivce that provides a browser-based shell to run scripts using the AWS CLI. It runs multiple describe and get API calls to determine the configuration of your environment.

Running this tool is free as it is covered under the AWS Free Tier. If you have exceeded the free tier limits, each run will cost less than $0.01.

1. Please review the DISCLAIMER before proceeding.
2. You must have an existing AWS Account.
3. You must have an IAM User with sufficient read permissions. Here is a sample policy. Additionally, The IAM User must also have full access to AWS CloudShell i.e. AWSCloudShellFullAccess.
4. (Optional) You can create an S3 bucket to store Service Screener findings.
   • If you do not have sufficient permissions attached to your IAM User, you can create a new IAM Policy in the IAM console by copying the policy below into the policy editor and attaching it to your IAM user.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "s3:CreateBucket",
                   "s3:ListAllMyBuckets",
                   "s3:ListBucket",
                   "s3:GetObject",
                   "s3:PutObject",
                   "s3:GetObjectAcl",
                   "s3:PutObjectAcl"
               ],
               "Resource": "arn:aws:s3:::<sample_bucket>/*"
           }
       ]
   }
   

1. Log in to your AWS account using the IAM User with sufficient permissions described above.
2. Launch AWS CloudShell in any region.

In the AWS CloudShell terminal, run this script this to install the dependencies:

rm -rf service-screener
git clone https://github.com/aws-samples/service-screener.git
cd service-screener 

source install.sh

When running Service Screener, you will need to specify the regions and services you would like it to run on. It currently supports Amazon EC2, Amazon RDS, AWS IAM, Amazon Opensearch, AWS Lambda, Amazon EKS and Amazon S3.

We recommend running it in all regions where you have deployed workloads in. Adjust the code samples below to suit your needs then copy and paste it into Cloudshell to run Service Screener.

Example 1: Running in the Singapore region, checking all services

screener --region ap-southeast-1 

Example 2: Running in the Singapore region, checking only Amazon S3

screener --region ap-southeast-1 --services s3

Example 3: Running in the Singapore & North Virginia regions, checking all services

screener --region ap-southeast-1,us-east-1

Example 4: Running in the Singapore & North Virginia regions, checking RDS and IAM

screener --region ap-southeast-1,us-east-1 --services rds,iam

Example 5: Running in the Singapore regions, by filtered resources based on tags (e.g: Name=env Values=prod and Name=department Values=hr,coe)

screener --region ap-southeast-1 --filters env=prod%department=hr,coe

Example 6: Running in all regions, and all services

screener --region ALL

Example 7: Running in the Singapore & North Virginia regions, checking RDS and IAM, and uploading the result to an S3 bucket with static website hosting enabled

screener --region ap-southeast-1,us-east-1 --services rds,iam --bucket service-screener-<YOUR_ACCOUNT_ID>

##mode
--mode api-full | api-raw | report

# api-full: give full results in JSON format
# api-raw: raw findings
# report: generate default web html

The output is generated as an output.zip file. You can download the file in the CloudShell console by clicking the Download file button under the Actions menu on the top right of the Cloudshell console.

Once downloaded, unzip the file and open 'index.html' in your browser. You should see a page like this:

Ensure that you can see the service(s) run on listed on the left pane. You can navigate to the service(s) listed to see detailed findings on each service.

The report provides you an easy-to-navigate dashboard of the various best-practice checks that were run.

Use the left navigation bar to explore the checks per service. You can then expand on each check to read a description of the check, find out which resources were highlighted, and read a recommendation on how to remediate the finding.

We encourage public contributions! Please review CONTRIBUTING for details on our code of conduct and development process.

Please review CONTRIBUTING to raise any issues.

See CONTRIBUTING for more information.

This project is licensed under the Apache-2.0 License.