Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The Config Organization solution will enable AWS Config, delegate administration to a member account, and configure AWS Config for all the existing and future AWS Organization accounts. The Config Organization solution will enable an aggregator in delegated administrator account to collect AWS Config configuration and compliance data for the AWS Organization. AWS Config is also configured to send the configuration snapshots and configuration history files to a central S3 bucket encrypted with a KMS key.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - For parameter details, review the AWS CloudFormation templates.
- IAM role used by the Lambda function to enable the AWS Config and set up AWS Config delivery channel within each account and region provided.
- IAM role assumed by the Lambda function within the management account to configure AWS Config within each account and region provided.
- The Lambda function includes logic to enable and configure AWS Config.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.
- SQS dead letter queue used for retaining any failed Lambda events.
- SNS Topic used to notify subscribers when messages hit the DLQ.
- The
Organization Compliance Scheduled Event Ruletriggers theAWS Lambda Functionto capture AWS Account status updates (e.g. suspended to active).- A parameter is provided to set the schedule frequency.
- See the Instructions to Manually Run the Lambda Function for triggering the
AWS Lambda Functionbefore the next scheduled run time.
- The
AWS Organizations Event Ruletriggers theAWS Lambda Functionwhen updates are made to accounts within the organization.- When AWS Accounts are added to the AWS Organization. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
- The
Global Event Rulein us-east-1 forwards the AWS Organization events to theHome Regiondefault Event Bus.- If the
Home Regionis different from theGlobal Region (e.g. us-east-1), then global event rules are created within theGlobal Regionto forward events to theHome Regiondefault Event Bus.
- If the
- AWS Config is enabled for each existing active account and region during the initial setup.
- AWS Config will be automatically enabled for new member accounts when added to the AWS Organization.
- S3 bucket where AWS Config configurations snapshots are exported for each account/region within the AWS Organization.
- See 1.9 AWS Config
The example solutions use Security Account Id for the Security Tooling Account. NOTE Conceptually the Security Tooling Account equivalent of Control Tower's default Audit Account. The Account ID for the Security Account Id SSM parameter is
populated from the SecurityAccountId parameter within the sra-easy-setup Stack.
- Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
- KMS key to encrypt the configuration snapshots with a customer managed KMS key.
- IAM role used by AWS Config to access AWS Organizations APIs.
- AWS Config Aggregator configured in the delegated administrator account to collect AWS Config configuration and compliance data for the AWS Organization.
- KMS key to encrypt the SNS Topic with a customer managed KMS key.
- See 1.9 Config
- See 1.9 AWS Config
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region), launch an AWS CloudFormation Stack using the option below:
-
Use the sra-config-org-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_org/templates/sra-config-org-main-ssm.yaml --stack-name sra-config-org-main-ssm --capabilities CAPABILITY_NAMED_IAM
- Log into the Audit account and navigate to the AWS Config page.
- Verify the correct AWS Config configurations have been applied to each account and region.
- Verify all existing accounts have been enabled.
- Verify the correct AWS Config Aggregator configurations have been applied.
- Verify all existing accounts have been enabled. Note: It can take a few minutes to complete.
- Log into the Log archive account and navigate to the S3 page.
- Verify the sample configuration snapshots have been delivered.
- In the
management account (home region), delete the AWS CloudFormation Stack (sra-config-org-main-ssm). - In the
management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed. - In the
log archive acccount (home region), delete the S3 bucket (e.g. sra-config-delivery-<account_id>-<aws_region>) created by the solution.