IP-2-CloudResource supports searching for an IP address across all AWS accounts within a given organization. This page will outline how to use that functionality and how to easily setup your AWS accounts to take advantage of it.

The only requirements for IP2CR to be able to scan child accounts is the presence of a cross-account IAM role in each target account that allows searching all the resources in scope.

To make configuring this cross-account role easier to deploy, you can use the Terraform plans in the following repo. Just run it in each child account and it will create the policy and role for you.

https://github.com/magneticstain/tf-ip2cr-org-connector/

The IAM role can be named anything, but the name must remain the same in every account. To be able to scan all supported resources, the cross-account role requires the following permissions:

cloudfront:ListDistributions
ec2:DescribeInstances
elasticloadbalancing:DescribeLoadBalancers

Example basic policy that can be used:

{
  Version = "2012-10-17"
  Statement = [
    {
      Sid      = ""
      Action   = [
        "cloudfront:ListDistributions",
        "ec2:DescribeInstances",
        "elasticloadbalancing:DescribeLoadBalancers"
      ]
      Effect   = "Allow"
      Resource = "*"
    },
  ]
}

The cross-account roles should be setup to trust whichever user/role is being used to access the AWS Organizations parent account. Additionally, that user/role requires the organizations:ListAccounts permission in order to fetch details on child accounts.

Once the cross-account role has been configured and trust relationships setup, we're ready to start using the feature. To utilize it, IP2CR accepts two CLI parameters: one to enable AWS organizations search, and one to specify the name of the cross-account role IP2CR should assume (i.e the role we created in the previous section).

Example:

./ip2cr --ipaddr=1.2.3.4 --org-search --org-search-role-name=ip2cr-xaccount-connector