Skip to content

Latest commit

 

History

History

config_aggregator_org

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
customizations_for_aws_control_tower
customizations_for_aws_control_tower
 
 
documentation
documentation
 
 
templates
templates
 
 
README.md
README.md
 
 

README.md

AWS Config Aggregator

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

Introduction

The AWS Config Aggregator Organization solution configures an AWS Config aggregator by delegating administration to a member account (e.g. Audit or Security Tooling) within the Organization Management account and then configuring AWS Config Aggregator within the delegated administrator account for all the existing and future AWS Organization accounts.

Deployed Resource Details

Architecture

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Organizations

  • AWS Organizations is used to delegate an administrator account for AWS Config and to identify AWS accounts for aggregation.

2.0 Delegated Administrator Account (e.g. Security Tooling, Audit)

2.1 AWS CloudFormation

2.2 AWS Config Aggregator IAM Role

  • IAM role used by AWS Config to access AWS Organizations APIs

2.3 AWS Config Aggregator

  • AWS Config Aggregator is configured for the AWS Organization and all AWS Regions.

3.0 All Existing and Future Organization Member Accounts

3.1 AWS Config Aggregator

  • AWS Config Aggregator within each member account has Authorizations for the Delegated Administrator Account to collect AWS Config compliance and configuration data.

Implementation Instructions

Prerequisites

  • AWS Control Tower is deployed.
  • aws-security-reference-architecture-examples repository is stored on your local machine or location where you will be deploying from.
  • Register a delegated administrator using the Common Register Delegated Administrator solution
    • pServicePrincipalList = "config.amazonaws.com"

Solution Deployment

Customizations for AWS Control Tower

AWS CloudFormation

  1. In the management account (home region), launch an AWS CloudFormation Stack Set and deploy to the Audit account (home region) using the sra-config-aggregator-org-configuration.yaml template file as the source.

Verify Solution Deployment

  • Log into the Audit account and navigate to the AWS Config page
    1. Verify the correct AWS Config Aggregator configurations have been applied
    2. Verify all existing accounts have been enabled (This can take a few minutes to complete)

Solution Delete Instructions

  1. In the management account (home region), delete the AWS CloudFormation StackSet created in step 1 of the solution deployment. Note: there should not be any stack instances associated with this StackSet.
  2. Clean up the delegated administrator registered in the Prerequisites

References