This is my presentation at AWS Community Day Vietnam 2025
Optimize AWS Costs Effectively with Service Screener
When using Amazon Web Services (AWS) cloud services, cost control and optimization is one of the top priorities for every individual and organization. And today I will introduce a useful tool that helps us evaluate and improve the system on our AWS environment, which is Service-Screener.
Service-Screener is an open source tool from AWS that allows us to automatically scan our entire AWS environment. It will provide recommendations based on AWS best practices for Security, Reliability, Performance, and Cost Optimization.
Why use Screener?
Security: Detect potential security vulnerabilities and suboptimal configurations.
Reliability: Ensure systems are built to be stable and resilient.
Cost Optimization: Report on opportunities to reduce costs without compromising performance.
Operational Excellence: Improve operational processes and manage your AWS environment effectively.
Performance Efficiency: Ensure resources are used in the most efficient way.
Deploy screener for organization
I will leave the demo video below
Suppose there is an organization with many member companies, each company is an aws account that joins the same Organization. We will call the member accounts User Accounts and the organization's administrative account Management Account.
The steps are as follows:
I. Create IAM Role
Need to create IAM Role on User Accounts and declare External ID. Enter ID information of the administrator account (root). Finally, assign it "ReadOnlyAccess" permission and set RoleName as:"ServiceScreenerAssumeRole" or any value.
II. Create Stackset
On Management Account create Stackset in CloudFormation with External ID value & RoleName declared above.
I will leave the crossAccountRoleCF.yml file information here: "https://github.com/aws-samples/service-screener-v2/blob/main/usecases/crossAccounts/crossAccountRoleCF.yml"
III. Install Screener
Proceed to install Service-Screener on Management Account
cd /tmp
python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
python3 unzip_botocore_lambda_runtime.py
alias screener='python3 $(pwd)/main.py'
"https://github.com/aws-samples/service-screener-v2"
IV. Create configuration file
After completing the installation, proceed to create configuration file to select the accounts to scan.
python3 organizationAccountsInit.py
Enter the RoleName & ExternalID values as set above. In case the Role name has been set to the same value, press Enter to skip.
V. Scan
After completing the above steps, Screener will suggest a script to scan the selected accounts.
screener --region ALL --crossAccounts 1
The tool will use the crossAccounts.json file to perform AssumeRole on each member account and scan. The results will be aggregated and displayed in a single report. Download the file to see the results displayed on the .html file.
Video Demo: "https://drive.google.com/file/d/19OK4hZWZeVhVYSNN4K8_YbJ0jJ31mveO/view?usp=sharing"
Thanks for your time. I hope you enjoy it.
Top comments (0)