Ensuring Continuous Compliance with AWS Config

Brett Gillett

Monitoring for Compliance using AWS Config

Recently, a large Canadian manufacturer asked us to help them design and implement a compliance monitoring solution that needed to monitor resources across twelve AWS accounts.

We met the customer’s requirements by deploying AWS Config in a centralized account and setting up the aggregation of resource data into a single AWS account.

AWS Config Compliance Dashboard

Deployment Strategy

In order to consolidate all AWS Config data into a single AWS account, we deployed an AWS Aggregator into one account. After deploying the Aggregator, we authorized the aggregation of data into the central account.

AWS Config Compliance Dashboard

To ensure consistency across all AWS accounts we deployed AWS Config, multi-account aggregation, authorization and supporting services - like S3 - via CloudFormation.

Capturing Data for all AWS Resources

Getting a complete picture of all AWS Resources - as well as their current and historical configuration - was a key reason why the customer decided to utilize the AWS Config solution.

By using AWS CloudFormation templates we were able to ensure that we captured information about all resources, but also avoided collecting global resources from multiple regions.

AWS Config Rules

AWS Config Rules help evaluate the compliance of AWS resources. In this particular situation, we also deployed AWS Security Hub - which deploys a number of AWS Config Rules during its deployment.

The customer uses this information to monitor resources and take corrective action when required.

Configuration Snapshots

Configuration Snapshots provide a complete picture of all supported resources and their current configuration. During the deployment, we configured each AWS account to send Configuration Snapshots to a centralized S3 bucket every six hours.

Once captured, the customer can use the data to understand what has deployed in each AWS account. This information is used to help ensure compliance across all AWS accounts.

Brett Gillett


Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?