AWS Config Rules deployment from a centralised delegated admin AWS account
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWS Config provides AWS managed rules, which are predefined, customizable rules that AWS Config uses to evaluate whether your AWS resources comply with common best practices. For example, you could use a managed rule to quickly start assessing whether your Amazon Elastic Block Store (Amazon EBS) volumes are encrypted or whether specific tags are applied to your resources.
You can deploy these rules across all the member accounts in an organization using conformance packs which has to be deployed from either the Organization Master account or you can specify a Delegated Admin account for the config services.
Steps for creating a Delegated Admin for config service.
We will use the AWS CLI in our case,
1. Use the master account keys to run this command
aws organizations enable-aws-service-access — service-principal=config-multiaccountsetup.amazonaws.com — profile master[Note: “ — profile” in the above command represents your master aws account access key and secret key stored in the aws credentials file, commonly stored in ~/.aws/credentials ]
2. Now register the account which you will be using as a centralized account for config rules deployment
aws organizations register-delegated-administrator — service-principal=config-multiaccountsetup.amazonaws.com — account-id=”acct-id-here" — profile master3. You can check the registered delegated accounts with this command
aws organizations list-delegated-administrators — service-principal=config-multiaccountsetup.amazonaws.com — profile masterNow that we have the delegated admin account in place, we need the config conformance pack template which will be deployed across the member accounts.
Within each conformance pack template, you can use one or more AWS Config rules and remediation actions. The AWS Config rules listed within the conformance pack can be AWS Config managed rules and/or AWS Config custom rules. You can download all the conformance pack templates from GitHub.
In our case we will use a template file with the following rules:
- iam-password-policy
- cloudtrail-enabled
- cloud-trail-encryption-enabled
- ec2-volume-inuse-check
- ebs-snapshot-public-restorable-check
- iam-user-no-policies-check
- iam-group-has-users-check
- guardduty-enabled-centralized
- s3-bucket-public-write-prohibited
- eip-attached
- ec2-ebs-encryption-by-default
- vpc-default-security-group-closed
config-rules.yaml:
Parameters:
AccessKeysRotatedParamMaxAccessKeyAge:
Default: '90'
Type: String
AcmCertificateExpirationCheckParamDaysToExpiration:
Default: '90'
Type: String
GuarddutyNonArchivedFindingsParamDaysHighSev:
Default: '1'
Type: String
GuarddutyNonArchivedFindingsParamDaysLowSev:
Default: '30'
Type: String
GuarddutyNonArchivedFindingsParamDaysMediumSev:
Default: '7'
Type: String
IamPasswordPolicyParamMaxPasswordAge:
Default: '90'
Type: String
IamPasswordPolicyParamMinimumPasswordLength:
Default: '14'
Type: String
IamPasswordPolicyParamPasswordReusePrevention:
Default: '24'
Type: String
IamPasswordPolicyParamRequireLowercaseCharacters:
Default: 'TRUE'
Type: String
IamPasswordPolicyParamRequireNumbers:
Default: 'TRUE'
Type: String
IamPasswordPolicyParamRequireSymbols:
Default: 'TRUE'
Type: String
IamPasswordPolicyParamRequireUppercaseCharacters:
Default: 'TRUE'
Type: String
IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Default: '90'
Type: String
Ec2VolumeInuseCheckParamDeleteOnTermination:
Default: 'TRUE'
Type: String
Resources:
IamPasswordPolicy:
Properties:
ConfigRuleName: iam-password-policy
InputParameters:
MaxPasswordAge:
Fn::If:
- iamPasswordPolicyParamMaxPasswordAge
- Ref: IamPasswordPolicyParamMaxPasswordAge
- Ref: AWS::NoValue
MinimumPasswordLength:
Fn::If:
- iamPasswordPolicyParamMinimumPasswordLength
- Ref: IamPasswordPolicyParamMinimumPasswordLength
- Ref: AWS::NoValue
PasswordReusePrevention:
Fn::If:
- iamPasswordPolicyParamPasswordReusePrevention
- Ref: IamPasswordPolicyParamPasswordReusePrevention
- Ref: AWS::NoValue
RequireLowercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireLowercaseCharacters
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
- Ref: AWS::NoValue
RequireNumbers:
Fn::If:
- iamPasswordPolicyParamRequireNumbers
- Ref: IamPasswordPolicyParamRequireNumbers
- Ref: AWS::NoValue
RequireSymbols:
Fn::If:
- iamPasswordPolicyParamRequireSymbols
- Ref: IamPasswordPolicyParamRequireSymbols
- Ref: AWS::NoValue
RequireUppercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireUppercaseCharacters
- Ref: IamPasswordPolicyParamRequireUppercaseCharacters
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
Type: AWS::Config::ConfigRule
CloudTrailEnabled:
Properties:
ConfigRuleName: cloudtrail-enabled
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENABLED
Type: AWS::Config::ConfigRule
CloudTrailEncryptionEnabled:
Properties:
ConfigRuleName: cloud-trail-encryption-enabled
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
Type: AWS::Config::ConfigRule
Ec2VolumeInuseCheck:
Properties:
ConfigRuleName: ec2-volume-inuse-check
InputParameters:
deleteOnTermination:
Fn::If:
- ec2VolumeInuseCheckParamDeleteOnTermination
- Ref: Ec2VolumeInuseCheckParamDeleteOnTermination
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
Source:
Owner: AWS
SourceIdentifier: EC2_VOLUME_INUSE_CHECK
Type: AWS::Config::ConfigRule
EbsSnapshotPublicRestorableCheck:
Properties:
ConfigRuleName: ebs-snapshot-public-restorable-check
Source:
Owner: AWS
SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
Type: AWS::Config::ConfigRule
IamUserNoPoliciesCheck:
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
Type: AWS::Config::ConfigRule
IamGroupHasUsersCheck:
Properties:
ConfigRuleName: iam-group-has-users-check
Scope:
ComplianceResourceTypes:
- AWS::IAM::Group
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
Type: AWS::Config::ConfigRule
GuarddutyEnabledCentralized:
Properties:
ConfigRuleName: guardduty-enabled-centralized
Source:
Owner: AWS
SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
Type: AWS::Config::ConfigRule
S3BucketPublicWriteProhibited:
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Type: AWS::Config::ConfigRule
EipAttached:
Properties:
ConfigRuleName: eip-attached
Scope:
ComplianceResourceTypes:
- AWS::EC2::EIP
Source:
Owner: AWS
SourceIdentifier: EIP_ATTACHED
Type: AWS::Config::ConfigRule
Ec2EbsEncryptionByDefault:
Properties:
ConfigRuleName: ec2-ebs-encryption-by-default
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
Type: AWS::Config::ConfigRule
VpcDefaultSecurityGroupClosed:
Properties:
ConfigRuleName: vpc-default-security-group-closed
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
Type: AWS::Config::ConfigRule
Conditions:
ec2VolumeInuseCheckParamDeleteOnTermination:
Fn::Not:
- Fn::Equals:
- ''
- Ref: Ec2VolumeInuseCheckParamDeleteOnTermination
iamPasswordPolicyParamMaxPasswordAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMaxPasswordAge
iamPasswordPolicyParamMinimumPasswordLength:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMinimumPasswordLength
iamPasswordPolicyParamPasswordReusePrevention:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamPasswordReusePrevention
iamPasswordPolicyParamRequireLowercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
iamPasswordPolicyParamRequireNumbers:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireNumbers
iamPasswordPolicyParamRequireSymbols:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireSymbols
iamPasswordPolicyParamRequireUppercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireUppercaseCharactersWe can store this file locally or to an S3 bucket. I’m storing this file in an S3 bucket.
Finally we are ready to deploy our conformance pack.
Use the delegated admin account keys in AWS CLI for the deployment,
aws configservice put-organization-conformance-pack --organization-conformance-pack-name="Config-Rules" --template-s3-uri="s3://mybucket/config-rules.yaml" --profile=delegated_adminOnce the deployment is complete, you can navigate to the conformance packs console and verify the status.
With this deployment, the delegated account also creates the aggregators automatically for all the member accounts but you need to accept the invitation sent to all the member accounts in an organization under Aggregators -> Authorization.
The aggregators are automatically added to the new account if it joins the organization.
Now you can navigate to Aggregators which will display the compliance status of all the accounts in an Organization.
