Querying inventory data from multiple Regions and accounts - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Querying inventory data from multiple Regions and accounts

Amazon Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple Amazon Web Services Regions and Amazon Web Services accounts. Athena integration uses resource data sync so that you can view inventory data from all of your managed nodes on the Detailed View page in the Amazon Systems Manager console.

Important

This feature uses Amazon Glue to crawl the data in your Amazon Simple Storage Service (Amazon S3) bucket, and Amazon Athena to query the data. Depending on how much data is crawled and queried, you can be charged for using these services. With Amazon Glue, you pay an hourly rate, billed by the second, for crawlers (discovering data) and ETL jobs (processing and loading data). With Athena, you're charged based on the amount of data scanned by each query. We encourage you to view the pricing guidelines for these services before you use Amazon Athena integration with Systems Manager Inventory. For more information, see Amazon Athena pricing and Amazon Glue pricing.

You can view inventory data on the Detailed View page in all Amazon Web Services Regions where Amazon Athena is available. For a list of supported Regions, see Amazon Athena Service Endpoints in the Amazon Web Services General Reference.

Before you begin

Athena integration uses resource data sync. You must set up and configure resource data sync to use this feature. For more information, see Configuring resource data sync for Inventory.

Also, be aware that the Detailed View page displays inventory data for the owner of the central Amazon S3 bucket used by resource data sync. If you aren't the owner of the central Amazon S3 bucket, then you won't see inventory data on the Detailed View page.

Configuring access

Before you can query and view data from multiple accounts and Regions on the Detailed View page in the Systems Manager console, you must configure your IAM entity with permission to view the data.

If the inventory data is stored in an Amazon S3 bucket that uses Amazon Key Management Service (Amazon KMS) encryption, you must also configure your IAM entity and the Amazon-GlueServiceRoleForSSM service role for Amazon KMS encryption.

Configuring your IAM entity to access the Detailed View page

The following describes the minimum permissions required to view inventory data on the Detailed View page.

The AWSQuicksightAthenaAccess managed policy

The following PassRole and additional required permissions block

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGlue", "Effect": "Allow", "Action": [ "glue:GetCrawler", "glue:GetCrawlers", "glue:GetTables", "glue:StartCrawler", "glue:CreateCrawler" ], "Resource": "*" }, { "Sid": "iamPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com.cn" } } }, { "Sid": "iamRoleCreation", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy" ], "Resource": "arn:aws-cn:iam::account_ID:role/*" }, { "Sid": "iamPolicyCreation", "Effect": "Allow", "Action": "iam:CreatePolicy", "Resource": "arn:aws-cn:iam::account_ID:policy/*" } ] }

(Optional) If the Amazon S3 bucket used to store inventory data is encrypted by using Amazon KMS, you must also add the following block to the policy.

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws-cn:kms:Region:account_ID:key/key_ARN" ] }

To provide access, add permissions to your users, groups, or roles:

(Optional) Configure permissions for viewing Amazon KMS encrypted data

If the Amazon S3 bucket used to store inventory data is encrypted by using the Amazon Key Management Service (Amazon KMS), you must configure your IAM entity and the Amazon-GlueServiceRoleForSSM role with kms:Decrypt permissions for the Amazon KMS key.

Before you begin

To provide the kms:Decrypt permissions for the Amazon KMS key, add the following policy block to your IAM entity:

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws-cn:kms:Region:account_ID:key/key_ARN" ] }

If you haven't done so already, complete that procedure and add kms:Decrypt permissions for the Amazon KMS key.

Use the following procedure to configure the Amazon-GlueServiceRoleForSSM role with kms:Decrypt permissions for the Amazon KMS key.

To configure the Amazon-GlueServiceRoleForSSM role with kms:Decrypt permissions
  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then use the search field to locate the Amazon-GlueServiceRoleForSSM role. The Summary page opens.

  3. Use the search field to find the Amazon-GlueServiceRoleForSSM role. Choose the role name. The Summary page opens.

  4. Choose the role name. The Summary page opens.

  5. Choose Add inline policy. The Create policy page opens.

  6. Choose the JSON tab.

  7. Delete the existing JSON text in the editor, and then copy and paste the following policy into the JSON editor.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws-cn:kms:Region:account_ID:key/key_ARN" ] } ] }
  8. Choose Review policy

  9. On the Review Policy page, enter a name in the Name field.

  10. Choose Create policy.

Querying data on the inventory detailed view page

Use the following procedure to view inventory data from multiple Amazon Web Services Regions and Amazon Web Services accounts on the Systems Manager Inventory Detailed View page.

Important

The Inventory Detailed View page is only available in Amazon Web Services Regions that offer Amazon Athena. If the following tabs aren't displayed on the Systems Manager Inventory page, it means Athena isn't available in the Region and you can't use the Detailed View to query data.


                            Displaying Inventory Dashboard | Detailed View | Settings
                                tabs
To view inventory data from multiple Regions and accounts in the Amazon Systems Manager console
  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. In the navigation pane, choose Inventory.

    -or-

    If the Amazon Systems Manager home page opens first, choose the menu icon ( 
    The menu icon
  ) to open the navigation pane, and then choose Inventory in the navigation pane.

  3. Choose the Detailed View tab.

    
                                Accessing the Amazon Systems Manager Inventory Detailed View
                                    page
  4. Choose the resource data sync for which you want to query data.

    
                                Displaying inventory data in the Amazon Systems Manager console
  5. In the Inventory Type list, choose the type of inventory data that you want to query, and then press Enter.

    
                                Choosing an inventory type in the Amazon Systems Manager console
  6. To filter the data, choose the Filter bar, and then choose a filter option.

    
                                Filtering inventory data in the Amazon Systems Manager console

You can use the Export to CSV button to view the current query set in a spreadsheet application such as Microsoft Excel. You can also use the Query History and Run Advanced Queries buttons to view history details and interact with your data in Amazon Athena.

Editing the Amazon Glue crawler schedule

Amazon Glue crawls the inventory data in the central Amazon S3 bucket twice daily, by default. If you frequently change the types of data to collect on your nodes then you might want to crawl the data more frequently, as described in the following procedure.

Important

Amazon Glue charges your Amazon Web Services account based on an hourly rate, billed by the second, for crawlers (discovering data) and ETL jobs (processing and loading data). Before you change the crawler schedule, view the Amazon Glue pricing page.

To change the inventory data crawler schedule
  1. Open the Amazon Glue console at https://console.amazonaws.cn/glue/.

  2. In the navigation pane, choose Crawlers.

  3. In the crawlers list, choose the option next to the Systems Manager Inventory data crawler. The crawler name uses the following format:

    AWSSystemsManager-DOC-EXAMPLE-BUCKET-Region-account_ID

  4. Choose Action, and then choose Edit crawler.

  5. In the navigation pane, choose Schedule.

  6. In the Cron expression field, specify a new schedule by using a cron format. For more information about the cron format, see Time-Based Schedules for Jobs and Crawlers in the Amazon Glue Developer Guide.

Important

You can pause the crawler to stop incurring charges from Amazon Glue. If you pause the crawler, or if you change the frequency so that the data is crawled less often, then the Inventory Detailed View might display data that isn't current.