Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The AWS Config Control Tower Management Account Solution enables AWS Config in the Control Tower management account, and updates the AWS Config aggregator in the audit account accordingly. The AWS CloudFormation templates enabling AWS Config
used by AWS Control Tower for the member accounts was used as a reference for this solution. All resources that support tags are provided a tag keypair of sra-solution: sra-config-management-account.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can:
- Review changes in configurations and relationships between AWS resources.
- Dive into detailed resource configuration histories.
- Determine your overall compliance against the configurations specified in your internal guidelines.
An Aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:
- Multiple accounts and multiple regions.
- Single account and multiple regions.
- An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled.
AWS Config enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting. While an Aggregator lets you view the resource configuration and compliance data recorded in AWS Config across
accounts/regions.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. CloudFormation triggers the custom resource Lambda function on Create, Update, and Delete events. - For parameter details, review the AWS CloudFormation templates.
- The
AWS Config Delivery Channelcontinually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. - The
AWS Config Recorderdescribes the AWS resource types for which AWS Config records configuration changes. - The configuration recorder stores the configurations of the supported resources in your account as configuration items.
- The AWS Config Recorder IAM role is deployed into the
management accountand it is assumed by AWS Config so that the recorder can detect changes in your resource configurations and capture these changes as configuration items.
- The AWS Lambda Function Role allows the AWS Lambda service to assume the role and perform actions defined in the attached IAM policies.
- This solution's Lambda function queries and updates the list of source accounts and regions being aggregated in the AWS Config Aggregator from the
audit account.
- An external deployment package is used in the AWS Lambda Function in the sra-config-management-account-update-aggregator.yaml template that contains the logic for querying and
updating the list of source accounts and regions being aggregated in the AWS Config Aggregator from the
audit account. - The function is triggered by CloudFormation Create, Update, and Delete events.
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed.- By default the
AWS Lambda Functionwill create the CloudWatch Log Group with aRetention(Never expire) and the logs are encrypted with a CloudWatch Logs service managed encryption key. - Optional parameters are included to allow creating the CloudWatch Log Group, which allows setting
KMS Encryptionusing a customer managed KMS key and setting theRetentionto a specific value (e.g. 14 days).
The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account can be determined from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
AWS Control Towercreates anAWS Config Aggregatorwithin the Audit Account for all accounts within theAWS Organization.- The
Lambda Functionwithin themanagement accountadds themanagement accountto the existingAWS Config Aggregator.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
- Verify the following AWS Config setups within the environment:
- AWS Config is not enabled in the
management account. - AWS Config Aggregator exists in the
audit account. - AWS Config S3 bucket exists in the
log archive account.
- AWS Config is not enabled in the
Choose a Deployment Method:
In the management account (home region), launch the sra-config-management-account-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml --stack-name sra-config-management-account-main-ssm --capabilities CAPABILITY_NAMED_IAM