Running Custom Scripts on Windows WSL for AWS Resource Inventory: Addressing AWS SecurityAudit Policy Restrictions
This article shares the process of running a custom script to perform specific asset inventory checks in an AWS subscription account under the IAM Managed Policy — SecurityAudit.
The link to the Traditional Chinese version of this article : 在 Windows 安裝WSL 執行Scirpt 以進行 AWS 資源盤點:解決 AWS SecurityAudit Policy限制
Objective
The objective is to inventory specific AWS resources within a subscription account, including EC2, ECS, EKS, and RDS. The user account is restricted by AWS’s SecurityAudit policy, and the computer operating environment is Windows.
Under severe constraints and a demanding environment, I could not execute from the cloud’s highest administrative account, nor did I have elevated privileges for regular subscription accounts. Without the necessary management tools and a limited workforce, we faced the challenge of extracting specific asset information statistics from many subscriptions within a tight timeframe.
By the way, you can only check information one account at a time. You can’t do anything from a higher-level admin account.
The initial script, designed to run on PowerShell in Windows, encountered some issues. So, the decision was made to switch to Ubuntu, and this article documents the steps to complete the script execution.
Reference Documents
WSL
AWS CLI
My Script
Installing WSL
To install WSL, open PowerShell and run:
wsl --install
After installation, a restart is required. For WSL setup details, refer to the official documentation.
Using Ubuntu in WSL (Windows Subsystem for Linux Mode)
- Install the JSON processing package, jq:
jq is a lightweight and flexible command-line JSON processor.
sudo apt install jq2. Copy the script to the Ubuntu environment under WSL:
\\wsl.localhost\Ubuntu\home\[XXX]- Script (GitHub) — AWS-Resource-Count-Script-SecurityAudit-Limited
3. Modify script permissions:
chmod +x [yourfile].sh4. Installing AWS CLI
curl "[<https://awscli.amazonaws.co>](<https://awscli.amazonaws.co/>)m/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
sudo apt install unzip
unzip awscliv2.zip
./awscli-bundle/install -b ~/bin/awsRunning the Script
To set up environment variables or use a configuration file (AWS configuration) for the subscription account, we’ll demonstrate with environment variables here. The Access Key and SECRET in this example are from the official documentation:
export AWS_ACCESS_KEY_ID=your-access-key
export AWS_SECRET_ACCESS_KEY=your-secret-key
export AWS_DEFAULT_REGION=your-region
Due to limitations in the SecurityAudit permissions, which prevent access to all Regions and CloudShell, I’m using a script to retrieve the information. The Regions are manually specified. I’ve provided another script to list the enabled Regions in the current account.
⚠ Security Warning: Storing Access Keys in plain text locally is a security risk. For production use, consider using AWS IAM roles and temporary credentials or IAM roles for EC2 if running within an EC2 instance. Avoid hard-coding sensitive information.
When mentioning the use of IAM roles, it’s recommended to also emphasize adhering to the Principle of Least Privilege to ensure that roles only have the permissions necessary for their tasks.
For external applications or services that need access to AWS resources, using AWS STS (Security Token Service) to generate temporary credentials is a more secure option.
Confirm the correct identity:
aws sts get-caller-identity Execute the Script
Run the script on your WSL envireonment ( Ubuntu )
./[yoursciprt].sh
Finally, the script will display the summarized inventory results.
For source code security, I used Amazon CodeGuru Security, now available for free, to scan the script. No findings were detected.
About Kuro
I’m excited to share my experiences and create educational content that inspires a community of knowledge-sharing! My hope is that others feel encouraged to write and share their own insights too. If you’re self-studying and have any questions about exam applications or preparation, don’t hesitate to contact me on LinkedIn or Facebook! I’m here to help as much as I can. Also, if you’d like to grab a coffee and chat, I’d love to connect with others in the industry — I’ve already had lots of fantastic conversations! Let’s inspire each other!
For more about me, my contact information, and to see all my posts (I recommend this link for a more comprehensive view):
- Kuro Introduction & Contact: https://portaly.cc/kurohuang
- Instagram: https://www.instagram.com/kuronetwork/
- Threads: https://www.threads.net/@kuronetwork
- Other Contact Methods: https://kuronetwork.me/contact/
- LinkedIn: https://www.linkedin.com/in/kurohuang/
- All Articles: https://kuronetwork.me/posts/
- About Me: https://kuronetwork.me/about/
Cloud Computing
- 2024.02 — AWS Certified Cloud Practitioner Certification (CCP)
- 2024.02 — AWS Certified Solutions Architect — Associate (SAA)
- 2024.03 — GCP Associate Cloud Engineer (GCP-ACE)
- CCSP 雲端資安專家自修考試心得、準備方式與教材整理(Certified Cloud Security Professional)
- 雲端網路存取控制規則檢視-官方指令彙整(Azure NSG, AWS Security Group/NACL ,GCP Firewall)
- Amazon Bedrock 試用心得 — 安全的在雲端上使用生成式 AI
- [GCP] 部署 Docker 應用至 Cloud Run 並使用 IAP 驗證登入
- 使用AWS CloudFront 的原始存取控制(OAC)建立安全的 S3 靜態網站
- AWS 架構安全評估工具 — AWS Well-Architected Tool
- 遠距辦公與資料保護-使用 AWS WorkSpaces 虛擬桌面服務
- 在 Windows 安裝WSL 執行Scirpt 以進行 AWS 資源盤點:解決 AWS SecurityAudit Policy限制
- 雲端網路存取控制規則檢視-官方指令彙整(Azure NSG, AWS Security Group/NACL ,GCP Firewall)
