4n6ir.com
System Manager Quick Setup
by John Lukach
EC2 Global-View works for a single AWS account, but AWS System Manager Quick Setup can provide an Organization EC2 Inventory. Start by defining a home AWS region that cannot be changed once chosen in the management account.
Create System Manager Quick Setup by choosing the Host Management configuration type and clicking next.
The primary goal of building an Organization EC2 Inventory requires no configuration options to use System Manager Explorer as the centralized UI initially.
A good inventory requires targeting all accounts and regions in the organization.
If you decide to use the Amazon Cloud Watch or System Manager Agents, this step provides an easy way to grant the necessary IAM permissions. I would recommend using VPC Endpoints to protect the EC2 and SSM endpoints.
Click create and let the process run, as it will take some time depending on selected options and the number of accounts/regions enabled.
The last setup item in the management account to configure is the delegation of administration for Systems Manager Explorer under Settings.
The System Manager Explorer Delegated Administrator account needs a resource data-sync configured to collect the Organization EC2 Inventory; be patient initially.
Success!! Searching by tags requires the reporting tags to be configured in each account and region with a limit of 5, unfortunately.
The aqueduct script makes it easy to push the command-line configuration to all accounts and regions using SSO for authentication and authorization. Remember, not all regions in this example support all services, such as Osaka (ap-northeast-3).
aws ssm update-service-setting --setting-id '/ssm/opsitem/resourceTags' --setting-value "[\"Name\",\"aws:cloudformation:stack-name\"]"