AWS Config continuously monitors and records your AWS resource configurations. You can use the service to automate the evaluation and remediation of recorded configurations against desired configurations. You also can review changes in configurations and relationships between AWS resources and dive into the history of a resource configuration.

The basis of a well-architected multi-account AWS environment is AWS Organizations, an AWS service that you can use to centrally manage and govern multiple accounts. When you combine AWS Organizations with the capabilities of AWS Config and AWS CloudFormation, you can efficiently manage and automate configuration compliance at scale for hundreds of member accounts.

In this blog post, we walk you through the automation of a sequence of five best-practice steps using, AWS Organizations, and CloudFormation. These steps will provide you with a recipe for automating configuration compliance at scale for your multi-account AWS environment.

Prerequisites

To complete the steps in the walkthrough:

  1. Before you start, ensure that you have completed the steps to get started with AWS Organizations with all-features enabled.

Walkthrough

Step 1: Enable AWS Config in your organization

With Quick Setup, a capability of AWS Systems Manager, you can quickly create a configuration recorder powered by AWS Config across your organization.

  1. Follow the steps outlined here to set up AWS Config recording with AWS Systems Manager Quick Setup.
  2. In the Targets section, choose Entire organization to allow AWS Config recording for your entire organization. Quick Setup also provides you the choice choose to enable Config to some of your organizational units (OUs), or the account you’re logged in to.

Step 2: Register a delegated administrator account for AWS Config

A delegated administrator account for AWS Config can be used to aggregate data from all member accounts in an organization without any additional authorization. This offers the auditing, security, and compliance teams in your organization the flexibility to use separate accounts for aggregating compliance-related organization-wide data. It also enables a separation of duties in an organization and eliminates the need for those teams to gain access to the organization’s management account to access the aggregated data.

From the management account of your organization, use the RegisterDelegatedAdministrator action to register a delegated administrator account for AWS Config. You can delegate an administrator only from the AWS Organizations management account. At this time, the management account can assign a maximum of three delegated administrator accounts for AWS Config (config.amazonaws.com).

Run the register-delegated-administrator command from the AWS Organizations primary account. In the following AWS CLI command, replace <member account id> with the delegated admin account ID.

$ aws register-delegated-administrator --service-principal config.amazonaws.com\
--account-id <member account id>

Step 3: Create an AWS Config aggregator in the delegated administrator account

An AWS Config aggregator is a resource type that collects AWS Config configuration and compliance data from multiple accounts and Regions or from an organization created in AWS Organizations. All accounts must have AWS Config enabled.

The AWS account where the AWS Config aggregator is created is called the aggregator account. The AWS accounts that provide configuration and compliance data to this aggregator account are called the source accounts.

You can create a Config Aggregator in the aggregator account to directly collect configuration and compliance data from all organization accounts that have AWS Config enabled. In this case, explicit authorization from individual source accounts is not required. This configuration uses a service-linked role that enables AWS Config to obtain organization details associated with the aggregator account.

Using the aggregator account, create a stack in the AWS CloudFormation console to launch the OrganizationEnableRecorderAndAggregator.yaml template. The template takes the following parameters:

  • OrgAggregatorName: Name of the aggregator.
  • CreateRecorder: If you have already enabled AWS Config (S), enter no.

Step 4: AWS Config rules in the organization

Instead of deploying AWS Config rules in member accounts and regions individually, use AWS::Config::OrganizationConfigRule in your CloudFormation template to automate the deployment of AWS Config rules across member accounts in an organization.

In this blog post, we provide a sample template that deploys the cloudtrail_enabled managed rule across an organization. You can use this template to deploy more managed rules in your organization.

Using the AWS Config administrator account, create a stack in the AWS CloudFormation console to launch the OrgEnableAWSConfigRule.yml template. The template takes the following parameters:

  • OrganizationConfigRuleName: The name for the rule.
  • OrganizationManagedRuleMetadata: Provide the rule identifier and description for the rule. Each AWS Config Managed Rule has a unique rule identifier. For example the cloudtrail_enabled managed rule in our sample template has the “CLOUD_TRAIL_ENABLED” identifier

Step 5: Provision AWS Config conformance packs in the organization

Conformance packs are a collection of AWS Config rules (and, optionally, remediation actions) that can be easily deployed as a single entity in an account and region or across an organization in AWS Organizations. Conformance packs provide prebuilt groupings of AWS Config rules based on compliance standards or AWS operational and security best practices. Use AWS::Config::OrganizationConformancePack to deploy conformance packs across member accounts in an organization.

In this blog post, we provide a sample template that deploys the operational best practices for PCI-DSS 3.2.1 conformance pack in an organization. Upload this template to an S3 bucket in your account.

Using the AWS Config administrator account, create a stack in the AWS CloudFormation console to launch the OrgEnableConformancePack.yml template. The template takes the following parameters:

  • OrganizationConformancePackName: Name of the conformance pack to be deployed in an organization.
  • TemplateS3Uri: S3 template URI that hosts the conformance pack template. This has the ‘s3://bucketname/prefix’ format

Cleanup

In order to delete organizational level conformance packs and config rules that were provisioned in steps 4 and 5 respectively you need to use the command-line interface (AWS CLI). For deleting the AWS Config aggregator that was provisioned in step 3, simply delete the cloudformation stack provisioned in that step.

Delete AWS Config conformance packs in the organization

Run the following command from the AWS CLI:

$ aws configservice delete-organization-conformance-pack —organization-conformance-pack-name=< OrganizationConformancePackName value>

Delete AWS Config rules in the organization

$ aws configservice delete-organization-config-rule organization-config-rule-name=< OrganizationConfigRuleName value>

Conclusion

In this blog post, we showed how you can manage and automate configuration compliance at scale for hundreds of member accounts by using AWS Config, AWS Organizations, and AWS CloudFormation.

About the authors

Andres headshot

Andres Silva

Andres Silva is a Principal Specialist Solutions Architect with the Management Tools team at AWS. He has been working with AWS technology for more than nine years. Andres works closely with the AWS service teams to design solutions at scale that help customers implement and support complex cloud infrastructures. When he is not building cloud automation, he enjoys skateboarding with his two kids.

A picture of Kanishk Mahajan

Kanishk Mahajan

Kanishk Mahajan has been leading AWS Cloud transformation, solution architecture, and delivery teams for customers for several years. His areas of specialty include management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member at AWS in each of those domains.