Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The AWS Config Control Tower Management Account Solution
enables AWS Config in the Control Tower management account
, and updates the AWS Config aggregator in the audit account
accordingly. The AWS CloudFormation templates enabling AWS Config
used by AWS Control Tower for the member accounts was used as a reference for this solution. All resources that support tags are provided a tag keypair of sra-solution: sra-config-management-account
.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can:
- Review changes in configurations and relationships between AWS resources.
- Dive into detailed resource configuration histories.
- Determine your overall compliance against the configurations specified in your internal guidelines.
An Aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:
- Multiple accounts and multiple regions.
- Single account and multiple regions.
- An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled.
AWS Config
enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. While an Aggregator
lets you view the resource configuration and compliance data recorded in AWS Config across
accounts/regions.
- All resources are deployed via AWS CloudFormation as a
StackSet
andStack Instance
within the management account or a CloudFormationStack
within a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet
. CloudFormation triggers the custom resource Lambda function on Create, Update, and Delete events. - For parameter details, review the AWS CloudFormation templates.
- The
AWS Config Delivery Channel
continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. - The
AWS Config Recorder
describes the AWS resource types for which AWS Config records configuration changes. - The configuration recorder stores the configurations of the supported resources in your account as configuration items.
- The AWS Config Recorder IAM role is deployed into the
management account
and it is assumed by AWS Config so that the recorder can detect changes in your resource configurations and capture these changes as configuration items.
- The AWS Lambda Function Role allows the AWS Lambda service to assume the role and perform actions defined in the attached IAM policies.
- This solution's Lambda function queries and updates the list of source accounts and regions being aggregated in the AWS Config Aggregator from the
audit account
.
- An external deployment package is used in the AWS Lambda Function in the sra-config-management-account-update-aggregator.yaml template that contains the logic for querying and
updating the list of source accounts and regions being aggregated in the AWS Config Aggregator from the
audit account
. - The function is triggered by CloudFormation Create, Update, and Delete events.
AWS Lambda Function
logs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>
to help with debugging and traceability of the actions performed.- By default the
AWS Lambda Function
will create the CloudWatch Log Group with aRetention
(Never expire) and the logs are encrypted with a CloudWatch Logs service managed encryption key. - Optional parameters are included to allow creating the CloudWatch Log Group, which allows setting
KMS Encryption
using a customer managed KMS key and setting theRetention
to a specific value (e.g. 14 days).
The example solutions use Audit Account
instead of Security Tooling Account
to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account
SSM parameter is
populated from the SecurityAccountId
parameter within the AWSControlTowerBP-BASELINE-CONFIG
StackSet.
AWS Control Tower
creates anAWS Config Aggregator
within the Audit Account for all accounts within theAWS Organization
.- The
Lambda Function
within themanagement account
adds themanagement account
to the existingAWS Config Aggregator
.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
- Verify the following AWS Config setups within the environment:
- AWS Config is not enabled in the
management account
. - AWS Config Aggregator exists in the
audit account
. - AWS Config S3 bucket exists in the
log archive account
.
- AWS Config is not enabled in the
Choose a Deployment Method:
In the management account (home region)
, launch the AWS CloudFormation Stack using the template file as the source from the below chosen options:
-
Option 1: (Recommended) Use the sra-config-management-account-main-ssm.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml --stack-name sra-config-management-account-main-ssm --capabilities CAPABILITY_NAMED_IAM
-
Option 2: Use the sra-config-management-account-main.yaml template. Input is required for the CloudFormation parameters where the default values are not set.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml --stack-name sra-config-management-account-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId=<AUDIT_ACCOUNT_ID> pConfigRegionsToEnable=<CONFIG_REGIONS_TO_ENABLE> pHomeRegion=<HOME_REGION> pLogArchiveAccountId=<LOG_ARCHIVE_ACCOUNT_ID> pOrganizationId=<ORGANIZATION_ID> pSRAStagingS3BucketName=<SRA_STAGING_S3_BUCKET_NAME>