When running your applications on AWS, the number of resources you use increases as the demand of your applications keeps growing. Eventually, keeping track of your AWS resources and the relationships between them becomes challenging from a governance perspective. AWS Config lets you more easily assess, audit, and evaluate the configurations of your AWS resources. It also lets you track the relationships among resources, troubleshoot resources misconfiguration, and continuously monitor and record the configuration changes of your resources.

The configuration recorder feature lets AWS Config automatically discover and store the configuration of the supported AWS resources in your account. In case there are changes on the configuration baseline, such as resources creation, update, and deletion, AWS Config notifies you with Amazon Simple Notification Service (SNS), so that you have full visibility over the state of your resources and the relationships among them. In addition, if you want to get notifications in the case that your resources don’t comply with your configuration settings, then you can use AWS Config rules. AWS Config provides conformance packs, with predefined or customized templates, to easily deploy a collection of rules and remediation actions at scale.

As your workloads expand in size and complexity, AWS recommends multi-region and multi-account deployments as a best practice. AWS Organizations lets you centrally manage and govern your highly distributed environments. Conformance packs are already integrated with AWS Organizations to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in a scalable way. As you can see on Deploy Conformance Packs across an Organization with Automatic Remediation, you can set it up from the AWS command-line interface (CLI), or by interacting directly with the AWS APIs.

This post walks you through a quicker and easier approach to enable AWS Config recorder, and deploy conformance packs across your organization using the new integration with AWS Systems Manager Quick Setup.

Solution overview

Quick Setup is an AWS Systems Manager feature that lets you configure and deploy AWS services quickly with the recommended best practices. This means you can instantly setup services in individual or across multiple AWS accounts and regions within your organization, created using AWS Organizations. Instead of writing your own scripts or AWS CloudFormation templates to configure AWS Config on your accounts, this solution lets you quickly create a configuration recorder and deploy conformance packs across multiple organizational units (OUs) and regions using the AWS best practices.

The following diagram shows a typical AWS Organization setup, with multiple organizational units containing different AWS accounts. It shows a management account where you centrally create a configuration recorder and deploy conformance packs from Systems Manager Quick Setup.

AWS Config aggregators collect configuration and compliance data from multiple accounts and regions. A delegated administrator account in an organization aggregates data from all of the member accounts in the organization. The delegated administrator account can create aggregators and deploy conformance packs in the member accounts without additional authorization. See Using delegated admin for AWS Config operations and aggregation to find the steps for creating a data aggregator in a delegated administer account in your organization.

Architecture diagram depicting how to use Systems Manager Quick Setup to create AWS Config configuration recorder, and deploy conformance packs in your Organizational Units from a central account

Figure 1: Target architecture diagram

Prerequisites

Before getting started, make sure you have the following prerequisites:

  • An organization with AWS Organizations. If you are not familiar with AWS Organizations terminology, refer to AWS Organizations terminology and concepts
  • Two or more organizational units (OUs)
  • One or more target AWS accounts in each OU
  • Access to the management account with privileges to manage the target accounts
  • One delegated administrator account for AWS Config

Setting up AWS Config recording with Quick Setup

Before we apply our conformance packs, we must enable AWS Config recording in all of the target member accounts. We can use Quick Setup to enable config recording for our desired OUs and regions. Follow these steps to set up AWS Config recording:

  1. In the Organization management account, select Quick Setup in the System Manager console. Choose Create, select Config Recording, and select Next.
  2. Under Configuration options, first we select the AWS resource types to which we want to track changes. We can simply track all changes to all resource types that are available in the target regions, or selectively choose the resource types that we want to track.
  3. Next, we configure the S3 bucket to use for the AWS Config delivery channel. We can specify an existing bucket or allow Quick Setup to create one for us.
  4. AWS Config can be configured to stream configuration changes and notifications to an SNS topic. Under Notification options, we can optionally select an existing SNS topic, let Quick Setup create one for us, or leave streaming notifications disabled.

The Configuration options screen displays options to select whether you want to target all the supported resources in the region, or only specific resource types. It also has options to select the delivery settings to a new S3 bucket, or to choose an existing one. On the bottom, the screen displays the SNS notification options.

Figure 2: Config recording – Configuration options

  1. Under Schedule, we define how often we want Quick Setup to remediate any changes if they differ from our above configuration options. The Default option applies the configuration once.

The schedule section allows you to choose the default schedule to apply configuration options only once, or select the custom option to apply configurations every day, every fortnight, every month, or disable it

Figure 3: Config recording – Schedule

  1. In the Targets section, choose whether to create the configuration recording on the entire organization, to specific organizational units (OUs), or the account you’re logged in to. If you choose Custom, then in the Target OUs section, select the check boxes of the OUs and Regions where you want to create the configuration recording.

Under the Targets section, you can select the option to apply the configurations on the entire organization, only on the current account, or select the custom option to choose which OUs and Regions Quick Setup will deploy the configurations

Figure 4: Config recording – Targets

  1. Select Create to apply the configuration. We are redirected to the details page which shows the current status of the deployment and refreshes automatically. Once all of the deployments are complete, we can continue to the next step of deploying conformance packs across the organization.

Screen displaying the status of the configuration's deployment to its targets.

Figure 5: Deployment status

Applying AWS Config Conformance Packs with Quick Setup

Now that we have enabled Config Recording in our target accounts, we can deploy Conformance packs to them. Follow these steps to apply conformance packs with Quick Setup:

  1. Select Quick Setup from the Systems Management console navigation and select Create. Under Choose a configuration type, select Conformance Packs and select
  2. Under Choose conformance packs, select up to five conformance packs that you would like to deploy to your organization. These include AWS-recommended operational best practices for specific services, AWS Well-Architected pillars, and compliance programs.

This screen displays the available options for conformance packs, including Operational Best Practices for S3, Operational Best Practices for AWS Well Architected Security Pillar, etc. On this screen you can select up to 5 options.

Figure 6: Conformance pack selection

  1. Similarly to the config recording, we can setup a schedule and target OUs and regions for conformance packs. Config recording setup, under Schedule, we can define how frequently we want Quick Setup to re-apply our configuration, to remediate any deviations from our defined configuration for Quick Setup conformance packs. For targets, we can roll the conformance packs out to the entire organization, the current account, or specific regions only.

Under the Targets section, you can select the option to deploy conformance packs on the entire organization, only on the current account, or select the custom option to choose which Regions Quick Setup will deploy the conformance packs.

Figure 7: Conformance pack targets

  1. Under Delegated administrator account, specify the account that will aggregate the config recordings across the organization. If your organization already has a delegated administrator account for AWS Config, then this account will be pre-filled in the configuration.

This screen displays the account ID registered as the delegated administrator account for AWS Config rules.

Figure 8: Delegated administrator account

  1. Select Create to begin the deployment of the selected conformance packs across your organization in the selected regions and accounts that you configured above. In the Summary, we we see a list of configuration options that are being rolled out to the accounts, as well as a real-time status of the deployment.

Screen displaying the conformance packs deployment status.

Figure 9: Conformance pack deployment status

The conformance packs are deployed to each member account in the organization. In the member account, and in the AWS Config console, the conformance pack is listed along with its current compliance status.

Screen displaying the conformance packs that have been deployed in a member account. Three of them are compliant, and one is noncompliant.

Figure 10: Conformance pack compliance status

Clicking the conformance pack name lets us drill into the specific Config Rules of the conformance pack and their compliance status.

This screen displays the config rules of a specific conformance pack. In this case, there are six rules, from which three are compliant and three are noncompliant.

Figure 11: Conformance pack rule compliance status

Conclusion

This post demonstrated how you can quickly and easily enable AWS Config recorder and deploy conformance packs on your multi-account organization using Systems Manager Quick Setup. From the management account, you can configure the accounts within your organizational units to detect changes in your resource configurations, capture those changes as configuration items, and manage the configuration compliance of your AWS resources at scale.

To further improve your organization governance and have visibility over the configurations deployed on all your accounts, refer to Set up an organization-wide aggregator in AWS Config using a delegated administrator account to learn how to deploy organization-wide resource data aggregation in a delegated admin account. Moreover, use the advanced query feature to query your entire AWS footprint from the management account. Doing this provides you and your security team with a simple way to set up and query resource configurations across your AWS environment.

About the author

Rafael Ramos

Rafael Ramos

Rafael is a Solutions Architect at AWS, where he helps ISVs on their journey to the cloud. He spent over 13 years working as a software developer, and is passionate about DevOps and serverless. Outside of work, he enjoys playing tabletop RPG, cooking and running marathons.

Categories: Management Tools