AWS Config: Deploying across Multiple AWS Accounts, Regions, and Organizations


Brett Gillett

3 minute read

Brett Gillett

3 minute read

Deploying AWS Config Across Multiple AWS Organizations, Accounts and Regions

One of our AWS Managed Services customers has a multi-AWS Organization account structure - three Organizations in total.

While not a common deployment strategy, in this particular case it satisfied the client’s specific charge-backup requirements for the various geographical regions where the client operates.

Multi Account AWS Config Deployment

Since resources exist in several AWS Organizations and multiple AWS accounts, we needed a simple way to provide a ‘compliance’ dashboard.

We satisfied this requirement by deploying AWS Config across all AWS accounts in a set of ‘approved’ AWS Regions. We then centralized all reporting and configuration history into a single AWS account - which we refer to as the ‘security account.’

Within the security account, several AWS Managed Config Rules monitor for compliance across all AWS resources.

AWS Config multi-account deployment

Deployment Strategy

We needed to deploy AWS Config across three distinct AWS Organizations, eight AWS accounts, and in a minimum of three AWS Regions in each account.

Without some form of automation, this task would have been time-consuming as well as error-prone. To meet the customer’s timelines, we created several CloudFormation templates - one for AWS Config, one for AWS Config Rules and another for the central S3 bucket. We simplified deployment across all AWS environments with the use of GitLab CI scripts.

By using CloudFormation, we were able to streamline the deployment and maintenance process and ensure a consistent configuration across each AWS Organization and AWS account. For example, we record changes to all supported AWS resources and collect information about global resources in a single AWS Region for each AWS account.

S3 Bucket Configuration

For this deployment, we created a single S3 bucket located in the security account. The bucket is used by AWS Config in each Account to store configuration snapshot information. Snapshots are stored for each AWS account every six hours.

To ensure the confidentiality and integrity of the data AWS Config collects, we protected the centralized S3 bucket with both an S3 Bucket Policy and Access Control Lists (ACLs) during the deployment.

AWS Config Rules Deployment

Finally, we deployed several AWS Managed Config Rules in the AWS Config deployment in the security account. For this particular deployment, we used a combination of triggered and periodic Config Rules.

By triggering rules on configuration changes, we’re able to evaluate compliance immediately as configuration items are modified. As an example, we deployed the ‘required-tags’ rule to evaluate tags associated with resources during deployment.

Periodic Config Rules allow us to evaluate compliance on a schedule. In this particular deployment, we validate the Account password policy every twenty-four hours to ensure it meets the documented corporate standard.


Orbit

Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?