This script is a read-only utility that counts cloud resources in your AWS account. If you run this in your organization account, it will discover resources in all accounts in your organization.
No changes will be made to your account. No data will be sent anywhere and will remain in your cloud shell environment.
This script can run against an individual AWS account or all child accounts in an AWS Organization. When running the script in CloudShell, it will establish the session using the AWS Identity currently signed in. When running the script in your local environment, it will establish the session based on your AWS CLI configuration. Please see Local Environment Instructions for more details. If your AWS Identity is in the AWS Organization Management account, the script will use the default role OrganizationAccountAccessRole (or custom role if provided) to switch into each child account. If your AWS Identity is not in an AWS Organization Management account, the script will only process resources in this single account. Upon completion, a CSV report is generated with the findings.
Reported Resources will include a count of each of the following resource types per AWS Region:
| Resource | Description |
|---|---|
| Terminated VMs | Terminated EC2 Instances |
| Running VMs | Running EC2 Instances |
| Terminated Kubernetes Nodes | Terminated EKS Nodes |
| Running Kubernetes Nodes | Running EKS Nodes |
| Active EKS Fargate Profiles | Active EKS Fargate Profiles for each EKS Cluster. Excludes any existing Falcon Profiles eg. fp-falcon* |
| ECS Service Fargate Tasks | DesiredCount of tasks in Active ECS Services. Excludes standalone tasks or tasks that are scheduled outside of Services |
Open AWS Cloud Shell (overview, documentation) using one of the direct links:
| Region | Link |
|---|---|
| us-east-1 | Virginia, United States |
| us-east-2 | Ohio, United States |
| us-west-2 | Oregon, United States |
| eu-west-1 | Ireland |
| ap-northeast-1 | Tokyo, Japan |
export AWS_ASSUME_ROLE_NAME="Example-Role-Name"curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashcat ./cloud-benchmark/*benchmark*.csv| Variable | Default | Description |
|---|---|---|
AWS_ASSUME_ROLE_NAME |
OrganizationAccountAccessRole |
IAM role name for cross-account access |
AWS_REGIONS |
All regions | Comma-separated list of regions to scan |
AWS_THREADS |
5 |
Number of concurrent account threads |
AWS_BATCH_SIZE |
20 |
Accounts processed per batch |
AWS_BATCH_DELAY |
30 |
Seconds to wait between batches |
AWS_API_DELAY |
0.1 |
Seconds to wait between API calls |
AWS_MAX_RETRIES |
5 |
Maximum retry attempts for failed operations |
AWS_OPERATION_TIMEOUT |
300 |
Timeout for individual operations (seconds) |
AWS_RESUME_FILE |
aws_benchmark_progress.json |
Progress tracking file |
AWS_SKIP_ACCOUNTS |
None | Comma-separated list of account IDs to skip |
AWS_DRY_RUN |
false |
Set to true to simulate without API calls |
# Default settings work well - no configuration needed
curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashexport AWS_THREADS=8
export AWS_BATCH_SIZE=50
export AWS_BATCH_DELAY=15
export AWS_API_DELAY=0.05
curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashexport AWS_THREADS=4
export AWS_BATCH_SIZE=15
export AWS_BATCH_DELAY=30
curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashexport AWS_THREADS=2
export AWS_BATCH_SIZE=10
export AWS_BATCH_DELAY=60
export AWS_API_DELAY=0.2
curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashIf the script times out or is interrupted, it automatically saves progress and can be resumed:
# The script will automatically resume from where it left off
curl https://raw.githubusercontent.com/CrowdStrike/cloud-resource-estimator/main/benchmark.sh | bashThe script will display progress and automatically skip completed accounts.
export AWS_REGIONS="us-east-1,us-west-2,eu-west-1"python aws_cspm_benchmark.py \
--skip-accounts "123456789012,234567890123,345678901234"python aws_cspm_benchmark.py --dry-run